Windows Analysis Report
PSI-CONF_Setup_v2.76.exe

Overview

General Information

Sample name:	PSI-CONF_Setup_v2.76.exe
Analysis ID:	1528774
MD5:	4bf5ec6ea419625fd7fbc9d7df84b5f4
SHA1:	4f530013dcc3d2393abb006ca66834f558036c89
SHA256:	9162049d459e334a9721e7e770bf2e1e64d60ebccfbf43d727e8975db6c9df00
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	47
Range:	0 - 100

Signatures

Installs new ROOT certificates

Sigma detected: Dot net compiler compiles file from suspicious location

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables driver privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Compliance

Uses 32bit PE files

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt

Jump to behavior

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Spreading

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Source: irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.comERROR:
Source: irsetup.exe, 00000002.00000003.2826640586.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826600914.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837708313.000000000441E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2840976065.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826509562.0000000004753000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2842645729.000000000442D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837620517.0000000004406000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841318428.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841359508.0000000004429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phoenixcontact.com/
Source: irsetup.exe, 00000002.00000003.2841085831.0000000004474000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828743366.000000000446C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828671762.0000000004468000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828415199.000000000445D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phoenixcontact.com/EditField)_0
Source: irsetup.exe, 00000002.00000003.2825182735.00000000052F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://select.phoenixcontact.com/phoenix/dwl/dwl01.jsp?from=psiconf&file=

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\SET152A.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\SET18A5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\slabvcp.cat	Jump to dropped file

System Summary

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem0.PNF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem1.PNF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem3.PNF	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_d5d1b7de54203434	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_d5d1b7de54203434\x64	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	File created: C:\Windows\assembly\Desktop.ini

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_0040525A	0_2_0040525A
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00403FB0	0_2_00403FB0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F62825	12_2_00007FF848F62825
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F73B3E	12_2_00007FF848F73B3E
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F6F35C	12_2_00007FF848F6F35C
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F72FBD	12_2_00007FF848F72FBD
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F62953	12_2_00007FF848F62953
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F6D6E9	12_2_00007FF848F6D6E9

Enables driver privileges

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe

Process token adjusted: Load Driver

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: String function: 00007FF848F65810 appears 39 times
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: String function: 00007FF848F64E70 appears 37 times

PE file contains executable resources (Code or Archives)

Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_DIALOG type: COM executable for DOS
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: Phoenix Contact VCPInstaller.exe.2.dr	Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: WdfCoInstaller01009.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1639755 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression

Sample file is different than original file name gathered from version info

Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849394316.000000000040E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesuf80_launch.exe2 vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849863551.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_rt.exeT vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849935303.0000000002130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_launch.exe2 vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000003.2848630429.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_rt.exeT vs PSI-CONF_Setup_v2.76.exe

Uses 32bit PE files

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: irsetup.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9887366134129213
Source: WdfCoInstaller01009.dll.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9985629322738576

Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: sus24.expl.evad.winEXE@18/192@0/0

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_004018EE lstrlenA,GetCurrentDirectoryA,_memset,GetTempPathA,lstrlenA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,DeleteFileA,RemoveDirectoryA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,lstrcpyA,lstrcpyA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

0_2_004018EE

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\Public\Desktop\PSI-CONF.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSI-CONF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: Yara match

File source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe, type: DROPPED

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Command line argument: /~DBG

0_2_0040121E

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File read: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe "C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe"
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.inf" "9" "4f7b0f4b7" "0000000000000148" "WinSta0\Default" "0000000000000168" "208" "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: pnpui.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msls31.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cscomp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File written: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setup.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Window detected: Number of UI elements: 11

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: certificate valid

Source: PSI-CONF_Setup_v2.76.exe

Static file information: File size 46190112 > 1048576

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Data Obfuscation

Compiles C# or VB.Net code

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00407054 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_00407054

PE file contains sections with non-standard names

Source: silabenm.sys.2.dr	Static PE information: section name: PAGESENM
Source: silabser.sys.2.dr	Static PE information: section name: PAGESRP0
Source: silabser.sys.2.dr	Static PE information: section name: PAGESER
Source: silabenm.sys0.2.dr	Static PE information: section name: PAGESENM

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00403F99 push ecx; ret	0_2_00403FAC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\drvinst.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\uninstall.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF Update Client.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\Uninstall PSI-CONF.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Windows\System32\drvinst.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 1A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 3A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 1BA10000 memory commit \| memory reserve \| memory write watch

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Window / User API: threadDelayed 1087

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Thread sleep count: Count: 1087 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563ommonProgramFiles = "%CommonProgramFiles
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc = "Microsoft Hyper-V SCSI Controller"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Activation.DeviceDesc = "Microsoft Hyper-V Activation Component"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcShutdown.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVS
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2297697663.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563=
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc = "Microsoft Hyper-V Fibre Channel HBA"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2266698107.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 Hyper-V VF
Source: irsetup.exe, 00000002.00000003.2510425719.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_eth.DeviceDesc = "Microsoft Hyper-V Ethernet Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Heartbeat.DeviceDesc = "Microsoft Hyper-V Heartbeat"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shutdown.DeviceDesc = "Microsoft Hyper-V Guest Shutdown"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2266698107.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 non Hyper-V VF
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMBusHid.DeviceDesc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %VSS.DeviceDesc% = VmIcVss, vmbus\{2450ee40-33bf-4fbd-892e-9fb06e9214cf}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_gsm.DeviceDesc = "Microsoft Hyper-V GSM MBB Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter Name"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Network Adapter Name
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563b
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309686444.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DynMemVsc.DeviceDesc = "Microsoft Hyper-V Dynamic Memory"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TimeSync.DeviceDesc = "Microsoft Hyper-V Time Synchronization"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563Y
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Integration Components"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2259785251.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2279239071.0000000002831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GenericScsiVmLun = "Hyper-V LUN"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VSS.DeviceDesc = "Microsoft Hyper-V Volume Shadow Copy"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcHeartbeat.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Synthetic Video driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563w
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcVss.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c = "Microsoft Hyper-V Activation Component"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; INF file for installing the Hyper-V crashdump driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id.DeviceDesc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GuestInterface.DeviceDesc = "Microsoft Hyper-V Guest Service Interface"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}",,0x0,"Microsoft-Windows-Hyper-V-Netvsc"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F file for installing the Hyper-V crashdump driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rdv.DeviceDesc = "Microsoft Hyper-V Remote Desktop Virtualization"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %Heartbeat.DeviceDesc% = VmIcHeartbeat, vmbus\{57164f39-9115-4e78-ab55-382f3bd5422d}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT]
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849725983.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_80n
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId = "Microsoft Hyper-V SCSI Controller Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Input Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter N%m
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc_NULL = "Microsoft Hyper-V Fibre Channel HBA (not supported)"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RdpD.DeviceDesc = "Microsoft Hyper-V Remote Desktop Data Channel"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_ppp.DeviceDesc = "Microsoft Hyper-V VPN Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}\ChannelReferences\1",,0x0,"Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Network Adapter Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563x
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvCrash.DeviceDesc = "Microsoft Hyper-V Crashdump Driver"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RdpC.DeviceDesc = "Microsoft Hyper-V Remote Desktop Control Channel"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %Shutdown.DeviceDesc% = VmIcShutdown, vmbus\{b6650ff7-33bc-4840-8048-e0676786f393}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Desc = "Microsoft Hyper-V Guest Service Interface"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; This is the INF file for installing the Hyper-V S3 Cap driver
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperKbd.DeviceDesc = "Microsoft Hyper-V Virtual Keyboard"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SynthVid.DeviceDesc = "Microsoft Hyper-V Video"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc.DeviceDesc = "Microsoft Hyper-V Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","OwningPublisher",0x0,"{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2297697663.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","ChannelAccess",0x0,"O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; INF file for installing Hyper-V keyboard driver
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wlan, ppip, vmnetextension"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Isolation",0x00010001,0
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Video Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId = "Microsoft Hyper-V Fibre Channel HBA Installation Disk #1"
Source: irsetup.exe, 00000002.00000003.2510425719.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Crash Dump Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Enabled",0x00010001,0
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KvpExchange.DeviceDesc = "Microsoft Hyper-V Data Exchange"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NE
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t Hyper-V Virtual Keyboard"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309686444.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Dynamic Memory Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: S3CapDevice.DeviceDesc = "Microsoft Hyper-V S3 Cap"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V S3 Cap Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_wifi.DeviceDesc = "Microsoft Hyper-V WiFi Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETV
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Virtual Keyboard Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_cdma.DeviceDesc = "Microsoft Hyper-V CDMA MBB Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.0000000002781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVS
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKR, Ndi\Interfaces,FilterMediaTypes,,"vmnetextension"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Type",0x00010001,2

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00407054 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_00407054

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00402E99 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

0_2_00402E99

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00405859 SetUnhandledExceptionFilter,	0_2_00405859
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00401000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401000
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00407303 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00407303
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_0040110A _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040110A

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} global\{7407c8d9-0d94-0b41-8543-eb54da946896} c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} global\{7407c8d9-0d94-0b41-8543-eb54da946896} c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat			Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_0040605D cpuid

0_2_0040605D

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: GetLocaleInfoA,

0_2_0040783D

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00405F79 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00405F79

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

0_2_00402E99

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Windows\System32\drvinst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\46B8D8F38741CD4E839F1F6B874F58B0A87C1937 Blob

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Compliance

Uses 32bit PE files

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt

Jump to behavior

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Spreading

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Source: irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.comERROR:
Source: irsetup.exe, 00000002.00000003.2826640586.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826600914.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837708313.000000000441E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2840976065.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826509562.0000000004753000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2842645729.000000000442D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837620517.0000000004406000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841318428.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841359508.0000000004429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phoenixcontact.com/
Source: irsetup.exe, 00000002.00000003.2841085831.0000000004474000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828743366.000000000446C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828671762.0000000004468000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828415199.000000000445D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phoenixcontact.com/EditField)_0
Source: irsetup.exe, 00000002.00000003.2825182735.00000000052F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://select.phoenixcontact.com/phoenix/dwl/dwl01.jsp?from=psiconf&file=

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\SET152A.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\SET18A5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\slabvcp.cat	Jump to dropped file

System Summary

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem0.PNF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem1.PNF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem3.PNF	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_d5d1b7de54203434	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_d5d1b7de54203434\x64	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	File created: C:\Windows\assembly\Desktop.ini

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_0040525A	0_2_0040525A
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00403FB0	0_2_00403FB0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F62825	12_2_00007FF848F62825
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F73B3E	12_2_00007FF848F73B3E
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F6F35C	12_2_00007FF848F6F35C
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F72FBD	12_2_00007FF848F72FBD
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F62953	12_2_00007FF848F62953
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F6D6E9	12_2_00007FF848F6D6E9

Enables driver privileges

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe

Process token adjusted: Load Driver

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: String function: 00007FF848F65810 appears 39 times
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: String function: 00007FF848F64E70 appears 37 times

PE file contains executable resources (Code or Archives)

Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_DIALOG type: COM executable for DOS
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: Phoenix Contact VCPInstaller.exe.2.dr	Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: WdfCoInstaller01009.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1639755 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression

Sample file is different than original file name gathered from version info

Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849394316.000000000040E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesuf80_launch.exe2 vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849863551.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_rt.exeT vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849935303.0000000002130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_launch.exe2 vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000003.2848630429.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_rt.exeT vs PSI-CONF_Setup_v2.76.exe

Uses 32bit PE files

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: irsetup.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9887366134129213
Source: WdfCoInstaller01009.dll.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9985629322738576

Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: sus24.expl.evad.winEXE@18/192@0/0

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

0_2_004018EE

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\Public\Desktop\PSI-CONF.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSI-CONF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: Yara match

File source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe, type: DROPPED

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Command line argument: /~DBG

0_2_0040121E

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File read: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe "C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe"
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.inf" "9" "4f7b0f4b7" "0000000000000148" "WinSta0\Default" "0000000000000168" "208" "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: pnpui.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msls31.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cscomp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File written: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setup.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Window detected: Number of UI elements: 11

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: certificate valid

Source: PSI-CONF_Setup_v2.76.exe

Static file information: File size 46190112 > 1048576

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Data Obfuscation

Compiles C# or VB.Net code

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00407054 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_00407054

PE file contains sections with non-standard names

Source: silabenm.sys.2.dr	Static PE information: section name: PAGESENM
Source: silabser.sys.2.dr	Static PE information: section name: PAGESRP0
Source: silabser.sys.2.dr	Static PE information: section name: PAGESER
Source: silabenm.sys0.2.dr	Static PE information: section name: PAGESENM

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00403F99 push ecx; ret	0_2_00403FAC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\drvinst.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\uninstall.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF Update Client.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\Uninstall PSI-CONF.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Windows\System32\drvinst.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 1A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 3A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 1BA10000 memory commit \| memory reserve \| memory write watch

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Window / User API: threadDelayed 1087

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Thread sleep count: Count: 1087 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563ommonProgramFiles = "%CommonProgramFiles
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc = "Microsoft Hyper-V SCSI Controller"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Activation.DeviceDesc = "Microsoft Hyper-V Activation Component"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcShutdown.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVS
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2297697663.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563=
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc = "Microsoft Hyper-V Fibre Channel HBA"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2266698107.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 Hyper-V VF
Source: irsetup.exe, 00000002.00000003.2510425719.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_eth.DeviceDesc = "Microsoft Hyper-V Ethernet Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Heartbeat.DeviceDesc = "Microsoft Hyper-V Heartbeat"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shutdown.DeviceDesc = "Microsoft Hyper-V Guest Shutdown"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2266698107.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 non Hyper-V VF
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMBusHid.DeviceDesc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %VSS.DeviceDesc% = VmIcVss, vmbus\{2450ee40-33bf-4fbd-892e-9fb06e9214cf}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_gsm.DeviceDesc = "Microsoft Hyper-V GSM MBB Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter Name"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Network Adapter Name
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563b
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309686444.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DynMemVsc.DeviceDesc = "Microsoft Hyper-V Dynamic Memory"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TimeSync.DeviceDesc = "Microsoft Hyper-V Time Synchronization"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563Y
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Integration Components"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2259785251.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2279239071.0000000002831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GenericScsiVmLun = "Hyper-V LUN"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VSS.DeviceDesc = "Microsoft Hyper-V Volume Shadow Copy"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcHeartbeat.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Synthetic Video driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563w
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcVss.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c = "Microsoft Hyper-V Activation Component"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; INF file for installing the Hyper-V crashdump driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id.DeviceDesc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GuestInterface.DeviceDesc = "Microsoft Hyper-V Guest Service Interface"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}",,0x0,"Microsoft-Windows-Hyper-V-Netvsc"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F file for installing the Hyper-V crashdump driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rdv.DeviceDesc = "Microsoft Hyper-V Remote Desktop Virtualization"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %Heartbeat.DeviceDesc% = VmIcHeartbeat, vmbus\{57164f39-9115-4e78-ab55-382f3bd5422d}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT]
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849725983.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_80n
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId = "Microsoft Hyper-V SCSI Controller Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Input Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter N%m
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc_NULL = "Microsoft Hyper-V Fibre Channel HBA (not supported)"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RdpD.DeviceDesc = "Microsoft Hyper-V Remote Desktop Data Channel"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_ppp.DeviceDesc = "Microsoft Hyper-V VPN Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}\ChannelReferences\1",,0x0,"Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Network Adapter Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563x
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvCrash.DeviceDesc = "Microsoft Hyper-V Crashdump Driver"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RdpC.DeviceDesc = "Microsoft Hyper-V Remote Desktop Control Channel"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %Shutdown.DeviceDesc% = VmIcShutdown, vmbus\{b6650ff7-33bc-4840-8048-e0676786f393}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Desc = "Microsoft Hyper-V Guest Service Interface"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; This is the INF file for installing the Hyper-V S3 Cap driver
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperKbd.DeviceDesc = "Microsoft Hyper-V Virtual Keyboard"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SynthVid.DeviceDesc = "Microsoft Hyper-V Video"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc.DeviceDesc = "Microsoft Hyper-V Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","OwningPublisher",0x0,"{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2297697663.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","ChannelAccess",0x0,"O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; INF file for installing Hyper-V keyboard driver
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wlan, ppip, vmnetextension"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Isolation",0x00010001,0
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Video Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId = "Microsoft Hyper-V Fibre Channel HBA Installation Disk #1"
Source: irsetup.exe, 00000002.00000003.2510425719.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Crash Dump Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Enabled",0x00010001,0
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KvpExchange.DeviceDesc = "Microsoft Hyper-V Data Exchange"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NE
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t Hyper-V Virtual Keyboard"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309686444.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Dynamic Memory Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: S3CapDevice.DeviceDesc = "Microsoft Hyper-V S3 Cap"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V S3 Cap Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_wifi.DeviceDesc = "Microsoft Hyper-V WiFi Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETV
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Virtual Keyboard Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_cdma.DeviceDesc = "Microsoft Hyper-V CDMA MBB Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.0000000002781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVS
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKR, Ndi\Interfaces,FilterMediaTypes,,"vmnetextension"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Type",0x00010001,2

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00407054 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_00407054

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

0_2_00402E99

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00405859 SetUnhandledExceptionFilter,	0_2_00405859
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00401000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401000
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00407303 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00407303
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_0040110A _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040110A

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} global\{7407c8d9-0d94-0b41-8543-eb54da946896} c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} global\{7407c8d9-0d94-0b41-8543-eb54da946896} c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat			Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_0040605D cpuid

0_2_0040605D

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: GetLocaleInfoA,

0_2_0040783D

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00405F79 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00405F79

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

0_2_00402E99

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Windows\System32\drvinst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\46B8D8F38741CD4E839F1F6B874F58B0A87C1937 Blob

Jump to behavior

ID:	1528774
Product:	CloudBasic
Start time:	09:44:43
Start date:	08.10.2024
Sample:	PSI-CONF_Setup_v2.76.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4bf5ec6ea419625fd7fbc9d7df84b5f4
SHA1:	4f530013dcc3d2393abb006ca66834f558036c89
SHA256:	9162049d459e334a9721e7e770bf2e1e64d60ebccfbf43d727e8975db6c9df00
Filetype:	Win32 Executable (generic) a (10002005/4) 99.70%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BE32437D1739B5538398412C511CE671	202B5F1E6C960F2AC18F5641BB6289DF83A6F367	E22D65BD78CA58C168869BE36867F7D3A88B1C5DD1001DC4F0507DA63666A1CC
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.cat	data	FB782004A59BF05EDAFEEE9CEB1AB567	0DDF1D5026BCAC265294F2BA111A85A3B01A7BE4	6E82E523B5CEC089A9C660B9BD73FC235CC2001D3E0689DB8D637F5455CA8F66
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.inf	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4DA5DA193E0E4F86F6F8FD43EF25329A	68A44D37FF535A2C454F2440E1429833A1C6D810	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	PE32+ executable (native) x86-64, for MS Windows	7799106FEE728B907A86D9C9751E02D5	F35320E535159D43B598C7C11684DB05BE4196A6	EE85E8D3CF3819DB28221BFC103DE8DF0E14E1878CECF54E8CD8C161B0E0AF3C
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	PE32+ executable (native) x86-64, for MS Windows	447209C314E6E0D26E01962075802B18	DD8AF2E3AA38D2D6971568EBF2CF41848E0091F5	AB1AC5854EB0EDF66025609CF9CB5639014C264327F4DEE1223BF7F6E1BD2D15
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A9970042BE512C7981B36E689C5F3F9F	B0BA0DE22ADE0EE5324EAA82E179F41D2C67B63E	7A6BF1F950684381205C717A51AF2D9C81B203CB1F3DB0006A4602E2DF675C77
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	PE32 executable (native) Intel 80386, for MS Windows	3EAD8E1668CE42A0AFE41D56E7157BCF	C164EE1014A9D64BEFCDB46AB4B1C67C1F23E47B	90A1AA6372356046B28C079954458F42849779FFC48C93AF0549A7673B276EB3
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	PE32 executable (native) Intel 80386, for MS Windows	688F8D8A147F04169139A681A1AA0035	5D05647EBD0052433CB4574F5EC614E404F71314	4857A353D5A3A390A134999268CF05F09C82E5E881822A43984F8BC74E7D00B1
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	E4F6DBE53E41F5CAA6A14D2195AC8615	92CF88730ECF93B28229A1C6D93C104671D51745	F43E792653AA0C2E7D10339B27404500E179E98DEEE1F77F2A0F7CA6983635DA
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1314A8767E8FFB6B4C96C2E0C608AFEB	A4D30B8C0BDFC57DF67210B2111710773247BF0F	0447FCF60D40409C937C49ACB9327E95A1AD949BC7E8AF0CA4A699FC6A178EBC
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C9DDB475613AC1F348DA11580A7E3085	34FF9F9EB04A5625D1BAF2455F1D8399B785FD9C	9202488D2E02F704F0161F08DE10C945EEAE1DB31A402E22DBFC6BFD4B712FBD
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C03E258BC2D9F57DD886D3181F8709BA	1E387CFDC5F332DC6DAB5A25745B42842ECB2830	32C58021CECEDA30BDCB118CBD72E3C07772A51B7E13F6EB9FFFF6A9B155B55F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	70EC0E7E43E2CD1BB00CFD7A383FF890	21B2BF3531CAD7267070FDE18CAB574459690010	650907B817DC2FC92FA608A495B2C1A38A5E5BF792BCF4A51384AEA9EADD4591
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	28F339164749C81FA8F33C5DE72FA316	ADC457E581AE811C1F9F073F2BDD510D093623CC	BB223255FE4274A1FB5B6786DA1DB6EA8490287BB923A9ECA1CA7695D07B5A9F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	056059639E9B75500B18C7A2111FC8D8	6E837B5E28ABD5CE244A52F4475F7F15B77D3A18	732924973DA71BC926326D31DA8AFEA26AC399F7063B6D73E4712CBD4E716C9A
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	PE32 executable (GUI) Intel 80386, for MS Windows	883FD5861FEFF333B5809ABBFEA98325	8B450839D343C261C61BB40041B80D96A42992E8	7C2B9448886AB046C1A7536D8A5167FCE932CDED7C236D2F4D8C36618438ED06
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows	05408F7E07C30618E6D8173D10F8323D	0D52BD8572ADAFE06BB6D050C30DFB08561F0501	69F7701F54BBEF76830BEF6AEFCB8AB3B5ABD900D182C720E3FCA0E087A4F0A1
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\streamGE864_7_02_005.BIN	data	20D70503DCF8E01BD22E41B75B21C005	22FEEF11FC5F1165DB0515E19DC96F615DA89877	9601CB4FD128C780A5F9BF7A7C43939E096B42240A899BF4A365A845A2062262
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D577FE84B84F269CF750A3BB2A4AC85E	A6B1A0240C381E5B6E8758F2954CC354A0BAE3D9	DA50A780B955AACEBF173C323F746297892F34E4E4F045CDEE6D743058F4F234
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8DFF2A8BCB8B4A74C603F66D02DDC8D3	BF56500BB29D63C6856D467FFF01E67094881EEB	BF311DA284E71F5B157301EB645639E4AE6A4F0D855E24228EEB08D42F82B68E
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	CEF030652945394F5382839392AD5D34	A6C6F02724DA7595BAB9D908C38271E3C5518895	AFA0114429F5DF7F0BF73980E7CC8ED4CFE95CBD0333EC89C4F14C88A6287AD8
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F2053141CE19750B692E3EE1007C9DC6	1E43C7E522EBC4C9114501D8E509DF4390FB37A4	6512AF72A86A34FE82AEE5E18880691F2A0D1CC8B78AA73E14C9BD3AD64D60B3
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A22F9A164C518A0F7F659DD68482E7EA	67121BAD6AD6087FA5CA3EE7CA13C18554A1B2CD	23409C497BD9382F498291A190AE42B7ACAFB5C39C2F4DA390BE56D1957F8CD5
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	468187A010F3003D51A7915985E4D699	CA9844935929CB1C1514439ACD23F8CC92A1ADD4	A044E0F94A630F31EFE1F31DD18BA64D96C67127C87188F6D7B92F99E0C2A124
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4260AFED258C22C66164B0EEBB7ABA54	E98010B1F337025F09336A2540D31B2F166BB348	011FA216BD89E45E839FBFAF70E33837EB92C898EE9BC75BB6806C0C4338869E
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9B7AA089F3B887852B8E06661E851294	3DEA89A341FBDD72BECFCBDC51621A2A37F6137F	3D83E371FF698D3275DE82606F56351B98B8140768666A51D27AC7A2BDF7525F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8E3AC961B052ABA76C8718E2BC61978F	9D3561C6FD301543AA724595A7F7397ACDFFCB60	A1BFEE76B231F6DEA2F1D6644431B60B08D987BFC1EEC32558557420D46BF10E
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\FactoryDefinedConnectionSets.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7D9975EF372241357C97C5E8D76F464E	A4B84F3FCE42EBEBD736E9ABEDA8F2EDBAFB3BB5	7067D2EF52DD753D22166C156B7E52521881F32BD75C5F4ED2722C3B84E1B4B3
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A033DB08E4147AB9C34F4A81F1A61436	E3292BA89714250C3903F2A9E6D84B7A128E906F	0F40A78C97E542ACD797D362B78BE485AEFC459C67D1BA5054EC1DF048FCC1C0
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5006B76FB41605DB287BFB21D442D263	FE73EF2297541173B62D6F15A37F0005E81FDB5A	9BC5B119DA42F1738398A96D8C9CD21E70DF17615978194E02D3F6812D4984A3
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	B974D415F0347DC692C0730085320177	4624E861E27A0CE93EC7D22A09D94F2D6102EDDE	8B0699F868A610248A4DAEBEA60CD179B7BF640A56EE6DB37AC1FD5014C160CC
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1314A8767E8FFB6B4C96C2E0C608AFEB	A4D30B8C0BDFC57DF67210B2111710773247BF0F	0447FCF60D40409C937C49ACB9327E95A1AD949BC7E8AF0CA4A699FC6A178EBC
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	676A4618AD188A26392A022D9AF5A829	60104036F71D9BB273DE34DFF675C1F6A086CCA9	520A9E69807D59DBC5CB8BA30AA607D6042882F56792089AB849EC55D3DAB0B1
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8758318E6F42B9D275A0BCF0943DE84F	83D6BF7616C65F072946E5995B6900C05FD00CF9	BFC253A44AE2415411874274C95B4846F40353F6D5A1DD5E8FED7427C6E8A15A
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9E781B282C40680CABF168564CFF73C8	2AB89DB7EFB49580662F009B1ABEFA39811E6907	89B9D892C3E48D61744828BFCE79070D8F81EB39C0700252E73C91E3612C71F3
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC0A8C.gsd	ISO-8859 text, with CRLF line terminators	9675018AE8DB7686A12D0E931B4BBC16	1BD060B59FA499E8842622327C1E5E097274719C	B6C7259E11468A68EC84C103D420DE69406E857FB0CCE94179964BFBA7C8F177
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_00F0.gsd	ASCII text, with CRLF line terminators	5E63A298493635C5DCBE4972C02C53C4	BC11BDC8D9F24466C8359CE4069F6211765ACDB4	C80C2707853B070EC716B3ACFFC3F646ABFCF0E54E37C1B6A8CF9502ED31164F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_0656.gsd	ASCII text, with CRLF line terminators	5AA9845D55B47B942A9B9D17CFD20DD6	D61D389BB4412212990FEA0E1BF6AD833B996C2F	D1D80B570E56233BAA52FA01F06B6425A4C838EF8C7452912303E84E292EBF61
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_066A.gsd	ASCII text, with CRLF line terminators	3A75E80627DD94D84BD25E708C71B50E	6C3C8F2B0B25E407BB6A6250A01D9EA534A9071C	F95D7072AEEE104D925509FA47CD965A86BE3CD464B8489D1A45250425A40066
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_067F.gsd	ISO-8859 text, with CRLF line terminators	0F71605945866FE4DB6C548234D5D1BB	945C618ACCC0D4908D1B0304719D7AF8268004FA	8E9C8B8F0E8B945E5C15C80C40296D91154F0E06729314570A550B241220A89D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_06BD.gsd	ASCII text, with CRLF line terminators	90FA7A0D7B52DAB37621CEB104564A71	3F1276244858EE423A259BDE4CB207A4C94CA69E	BB2DD7B2D8254A3F56AD4AB2C1B4B7017CBB6618893B42B113BFA534ABFBA893
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_06CC.gsd	ASCII text, with CRLF line terminators	3079F51A039FAC7688291029E852FF0A	0D6F2EC22A73E1CBB0F1511C88E29FA65C9A49E9	B336B36C44AF6B143BAB2CCC7A1C0D0FE5855D02DDDED7CD38580E241FB33681
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_06FD.gsd	ASCII text, with CRLF line terminators	F3071E54B26E7529DD680D70C2512E94	A489765FBCECE1FA6A8666DF453134082C2C898A	EFE14FE0A169B15ACE12E067E9102ECCD9B4FCB198E57085A9A649323A188E2D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_07E9.GSD	ASCII text, with CRLF line terminators	6E57FF371E272230F77D421EA06D15DF	D7D67DFD9D2CB8E894AD7FFA74510EF946951887	07EED527422DE43FDD12126324CD8E92AC4E6E1819E5FC1CD85EF1A79DD88A9D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_096B.gsd	ASCII text, with CRLF line terminators	44982A9CE2DF6D63DFDF8929DC6CBB03	E351F94588D99CF44A4369F89870F2D18CF9AB29	F854C3C8D127C3C07F2C6229B19B8D36469A9F3759E9F907ABD6FA8EDB664350
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\PXC_196B_DPV0.gsd	ASCII text, with CRLF line terminators	A44A350C5D7A7F76B826213DE131A34C	4526981F18F6F30CA1A5C45CFB2C16D90BCFEEB6	7256C71DCD294B9968534AF43D7FF42B93D59E3E3550B8D65AAF36E96ABF8B96
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\Pxc_066b.gsd	ASCII text, with CRLF line terminators	8C59693DEBABF35AE9E6514E67770BAB	C1F366A0EFDB4371C180463C357D6AE6E39363F4	F8D7DF44D7E4D7189444796E6A829F97C7DE9BD917611B321D0167B563AF91B1
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\Pxc_066c.gsd	ASCII text, with CRLF line terminators	4B9083AA93F915307F3B3DC7D0B9B1C6	B354CDDD522B09CDE360B2CF6A34B4756316D475	E2CDF8BA67635A7599715680A5A3F3DDD1D5849AD2E6E90F058B75E7ED9DCCFC
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\GSD\Pxc_06FB.gsd	ASCII text, with CRLF line terminators	4F4101E8EFD619C0342F61433845AC0B	9F54605EDFD12F88F9F8EB97FC420B2AC40EED10	199E2CABA09C6867AAB5C26F164D99A4283A652E3CD73DA0D0B0248846F53AE1
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\SlottimeHelp_de.htm	HTML document, ISO-8859 text, with very long lines (323), with CRLF, NEL line terminators	CA35C23E9C9AE5CB5BD5278842EE0FCD	9AD0F75EFA27F3D1A36A04527BEBFD0E61E09EB4	24999F82CBB2677F698CC4B865E93568FBD07641D7C4F2354D60282E50A992BF
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\SlottimeHelp_en.htm	HTML document, ASCII text, with CRLF line terminators	D1EBA4023A9B3BB7F9E6EACAF5641CF1	FCD341A17569C2EB60A36B80B68D3A81BED1F0BC	6A255BE4D74A43FE58E12CD4320E0F0C31F52B00437761DF5D87D03F6A2FF3E6
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\header.gif	GIF image data, version 89a, 430 x 57	D7744F15E8E4CC276C2357DE492622F8	868D9819894D1B7E89A990445ACDB019BCBFAFFD	D696565F7571C276EF73681CEBB99EEAEA08C01CD6C7765228E9CF836CC26585
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\logo.gif	GIF image data, version 89a, 111 x 29	5F0DAC4FB2AF8974D0CBB7DEBC930568	47A2D205BB09B5EF1A2F4D7D210B6256BACE28C6	43C55A4D82F42267E7AAC040FF50EA07D8B10CA554AF4A73E579E96D3E0EBC6A
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\step1.PNG	PNG image data, 588 x 181, 8-bit/color RGB, non-interlaced	685FCFF31CFAA44C60803C35F5CFDB00	E7B5B56D0F9E081C013A73D4529C73CDBCAC43E7	E4F47D0B8D537670D81FF50E0360ABFDFD385F275485335CEFA9BFE83717A365
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\step2.PNG	PNG image data, 588 x 235, 8-bit/color RGB, non-interlaced	67CDAD24BCCBC0CF0E5D7BBF51882C85	20251A28F60A411107C187AD319AC85EC507E2A0	CA4DDBFB509CB210091133D8DBDECD650D32F19B0BA5BEC053DA50AB34998236
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\step3.PNG	PNG image data, 589 x 437, 8-bit/color RGB, non-interlaced	38165EF6BAEB228106707D1592000D9E	37812388FCE358C5A62A6A46E3CFA29331EF23D3	76BD4485A9B7D5C3312062425E7A26CC36A306A94A7486AD89C6EECEA64A0BBA
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\step4.PNG	PNG image data, 589 x 536, 8-bit/color RGB, non-interlaced	7BFF972A438779CCC3CBCD867B971405	438044C15BC6C76BB71FA281853F5B7732CEECDA	CB611C16F2B0699786D437418285DC515D2C6C0AA612272C4E961B2C43F9FBFD
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\Help\step5.PNG	PNG image data, 588 x 235, 8-bit/color RGB, non-interlaced	1E983D81FC3AE036A714966B52BA4BB3	F8F9D689309FDE32F129BF7C18D08BD3DC6A3A1C	9073BE7CC0948B1368BEEFC5332394FCC8BAB3A5169075F329930536DC2CAE21
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	B32C16E850C0E09747A6D1812BC46A66	898E5E545ECFE43091E9E861B4F2AC8B631211C9	C65CA7A1F0E3C2270C922101D71BB337820A16AF6A8949400453BF3EA40EC6EC
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DF04F8A2AD14137C1CF900CB53262289	C4C157E5566F14D06F7E9DD6E1C99EBBD56D3C83	50BEFD26678685D07A8B20DC0D5DC9C8781B34551C8B4708013685CAE1D48FD4
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	79C7AC91441783299DE3249C71328CD1	B5478F12DCFF54E07FBD6FCB389F9000C767728E	C7E86DEBBE24A04750F26D3794D4E885C7173792C8D1DB53C2DA0FFB8E662571
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\FactoryDefinedConnectionSets.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	D49A46DECE1EEC68F07F15587F98237B	7558E7504739477C203EB594B50B2FFCBF1B21E4	10CFC7FFD1E40F2A91ED18EA2A71FFC653BBEC326C42205836AE252917E693D5
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1334223DBBDF48A21E3C795E07A5DAE5	D7B09F7AAFB28CF92B5B0258BB7AA71A38D50BBE	484C8B0372B6AE0DF045AB48E6244F382CE7CB297C6748484AA5C6139C28E7AE
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4DA567FB8E268109161B030C3897C4D9	048853D71A37AED6A6B68E02FCCBE1C670EECCD6	98FD742A50ACCC06F720FB630F9BAEAE578C72DF5A32442302F527AEDE08CD8C
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C7513BF39EFE642B8C31F80BCC859402	C86CC51B8A0C28DEFB88CFB5BD0F1B6BBE0D50BC	59E448E45215C57216515C96085084A20F39EA747E6DAA156F31D9E7842F788D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D234D24058CDF97A6D02DA4191F32B9E	EF5D436B4A09744F80BDB46A7B4062DFF017DFA1	736B9437D2CECAB806AC2B9A87470380F76352FEB5EE175556D255E2946D9416
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	341799511CFD7DD9330A6CDE0F772525	ED99077B94EA60A66D8496BDD7A6CDFA8AE7CB73	ECC0A043B8C7FC2DD2B2B0C89F9A4843EE4972CE918E69D4DE5A438FE4DEA29C
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3CC1CA59B59A94C73D49CED150BE967C	05B87E317322E3E1C478BD32552E684D5CDB1183	A254F74FD8F2849958FFE87A3E2945C8F55BAECB0D7ECC95CD7EA0D8D18DDD21
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3BB9E48A026BEE0DF12A7225EDEDE6AD	9E93BD331E90BD1919FFE84912B3EBCEC22A2712	9845C338E9DFC48067B46383A442A4B8A9D7451A4FAB9292185A05583FAC877E
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C03E258BC2D9F57DD886D3181F8709BA	1E387CFDC5F332DC6DAB5A25745B42842ECB2830	32C58021CECEDA30BDCB118CBD72E3C07772A51B7E13F6EB9FFFF6A9B155B55F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2D3E0D27C58502F5B58EB595F4BD1DEF	D40807641A1F000C292D96E9DA5EF5BF4176A8E2	DD0453785B38030C6CC1DD6BA12CE9BB385CD22BAC72BB4DBE0112795256E4A8
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	28F339164749C81FA8F33C5DE72FA316	ADC457E581AE811C1F9F073F2BDD510D093623CC	BB223255FE4274A1FB5B6786DA1DB6EA8490287BB923A9ECA1CA7695D07B5A9F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	7D2FB7339E79BBFDF87B280D66089222	56318BCDD3B8497FFB6E1A5B58430F38BD7BF1B9	DCB6E72A894B1DBBE95B7E0A608C3DD519AA17EF914D24F1703B4D0F41A42108
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F8D358214D9F7ACE831521605725C58C	71A4945761D7CAB32379DD8EA8598D4DB122751C	11757CF567E585D292BFA905AC10BDB443DB4C92BA6A75D7D09B503539B78ABD
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	55225666D6B08B52171BAFE32EC9D536	E9DB1E8FAE51FC89694407EADF15B97478B68264	18E0B62CB59C7BEE77726164CA8A70358FDAEF98B6586BA2FDAA37BCB8204457
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C03E258BC2D9F57DD886D3181F8709BA	1E387CFDC5F332DC6DAB5A25745B42842ECB2830	32C58021CECEDA30BDCB118CBD72E3C07772A51B7E13F6EB9FFFF6A9B155B55F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	98A8224385599582F323129DD03FF347	ABA2812E8DD6D298740ECBD7B2971418B87A4451	1343403BAC82F7CA2C7AFBB83171D915FA8A78A3E389D8AE365C814852897279
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A9DB3BD550FAEFCE114DBE3B786321AB	31091A25C0CC8E5F2CD885BAAAC16A8661A3725C	5AD992546FF2C2110D56A0C13D3230E9A3FFC42307223CEAF9DA4B8228F062FA
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	11B02FBF81B78981F7F4E39A4194B8B1	D5EAC5DB5F7327415FA8DC42CFDBC157B3535276	AABE8C86B6D9D915307062A10F07D5D99502394C7302AD1B9618A216E9A4974A
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\FactoryDefinedConnectionSets.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	686772D291FA4D79940D05379021C9D7	034846AD0BE63754898357CB6F1C756D1C9FF53B	8D21E56AC0E7488EA5FF1D98DB73FB5791090156FED4850ABC0B3E7AF87807F2
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\Manuals\ResetEscapeCharacter_DE_00.pdf	PDF document, version 1.5, 4 pages	C496C55E6A732DE454C6E42CD7F811A2	C414DC09C066B5297D49D7E438317C727CCB7A6B	8BEF56F99FD6C87077299D091D642C5AEA79F247605A141AFA524F7B0865F4D5
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\Manuals\ResetEscapeCharacter_EN_00.pdf	PDF document, version 1.5, 4 pages	534D004A5EC76F16AD76189CFC66A4A1	2B10E72B089D5AA1980B50F22733B6C18C043A56	583318E77F1E5FF0C36B3681634C526D55D0C46A8D266BD2C7019E6A05C132A9
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DF68458416F4C34C5108863E4DB305F3	92250F8428AB610DAC5B4F5C3829CEED834BEF30	DD9588A5E3EC063832A1749CCE51987FDCBC4EE57410B337B29D53E1660478F0
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C6CFC790DEFE336DC9A9FA8F04B8C95C	21B3092835145DDE69DD14CE67F42583BEF99008	32DE74C97BB067A9AA2A9A433ADCC2D92EBDB024B76C5EE43C9B04A348916F51
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1B46DCFE73F4A9CA42686DDCEB776667	7FCE002529A498BA31219207BD59F1605FEC67C6	B68E72C2F427EFAD15FD00C35479954B213C5ABA8CB106556018DCA0465420EC
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C03E258BC2D9F57DD886D3181F8709BA	1E387CFDC5F332DC6DAB5A25745B42842ECB2830	32C58021CECEDA30BDCB118CBD72E3C07772A51B7E13F6EB9FFFF6A9B155B55F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0B8DA3D1A2C95F5264D0F87FB94E879D	BF8262C539A7610F61FD259559FC72E6158EB595	564ECFD27020789987874B85B3E9F99ADAEE639BF715B90B104FCA4DB94AD3ED
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4C175316874C05E4B96A4DA67DA7E447	D9DA50FC85945D62ED1A3C7FBA95CE590E4E46D3	C70580EAF905CD7C761C2234CA01B2C35DA79353605253ED055AFE3A68C16CB9
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9CFF9D3AECF7BD7B8D92D300F7B297D	DC88A7373CECD331D336EFFDEAB5E9E21F1A6893	53AD2B2A19CD12EF75868CA1AAF046E48F3FD8416D73ED3CC642C665E254790B
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C03E258BC2D9F57DD886D3181F8709BA	1E387CFDC5F332DC6DAB5A25745B42842ECB2830	32C58021CECEDA30BDCB118CBD72E3C07772A51B7E13F6EB9FFFF6A9B155B55F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3C3E85D209E48C60E066F6681B64F3F8	D1FC714F86072C6706695FDE9399F51983FD08BB	33746BCE5B955462BBF4FACFEB131A8EB44372C34F0E1917B303289ECAF73FEB
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6B2C7BB726F707208798908A528C2214	5D3FD5784F5A3365D3CDD13FB892E90B6ADC7AE7	C7778ADE676C32122DC9331867C3D0F1E6422FFB2674B57E953826D71DB5E994
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	220820175CC203249A8DD64A20C5CAA8	7C77F19B0003127167BE6E4D1B0F78E7814BD3C0	EF426C4C5BF67F03DB03D91FA9F14E435A320908604A23FB19B8F5C6A5189C20
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	FD61B57B404677EB2C679989F3F5481A	AE3BAA2EADF1752B10982BA49F8E77494EC8EBFD	51CB0AF18E575EAC167DA7B935E67B8144C546DD224FE3F5968420ABA6792ADF
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C34BBF62177CAD8DB9A6B06267983F31	CD2C87E53938E40E22674A9A708EC36C65F39E3F	DDBA7B7A8B56FAA82A6410CF42A69CA23B04CA37E1701282E5F88A91CB1FCD66
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C03E258BC2D9F57DD886D3181F8709BA	1E387CFDC5F332DC6DAB5A25745B42842ECB2830	32C58021CECEDA30BDCB118CBD72E3C07772A51B7E13F6EB9FFFF6A9B155B55F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D09AD7CB84E0D5F84245F794FE585BF3	B428BF3AD2A49CBFCF91E7A5FEFDB65140783FB1	66DB593301C617E46C1C65D5410514CE80B9AB06ED6582D00FC8C68A043E5A94
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4764929C846922050A3EACAF680BC0F3	2D20FEFAC059A3B5D9231212BE9D73A297F4E3BE	EFEB9715ACD4C6AABB4CFCF39A5FB8EF90C39E61AFA0B02B6DA3831E73370175
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\modbconf.xml	Unicode text, UTF-8 (with BOM) text, with no line terminators	3E5418C4E7E9DC9ACFE71127B455B084	8B1C6B323943D834706D029EFA829BD44DD74CBE	15C3B96F195AF135766F99C55A5C4B79BD64EB42D21B5F1FFA2D8816E97B5F8D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C4687F40457C935063E7A3327E5B1FCF	3829D73F858BA2E90D8DD055296CAFDA696B31D1	41DB742F0117D558AAD87CD5B31AEAA48B0CD99D385F5A9A6431FA805D34A057
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	BEBBAE4E39F35D231345E1BA4F7290AD	5F7A31BEAC9E362C37D9F326DE71EBC9874C2389	F68AAFF06CBDB2EB3DE83E67CB917BC8B2B91D80BDBA2875D3AFABB4B8BC1C1B
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.dat	Zip archive data, at least v2.0 to extract, compression method=deflate	6C4B6EC3261F09F10737CDDA984E7B9A	88B8031E8750BD2F0E0CAB7B41064578367B3E97	12ABEC0966013E0FFB001CB4D7420446B296D7C084916025127D404E5612062D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	PE32 executable (GUI) Intel 80386, for MS Windows	ACC823D15ED0A9358643E715CFB88DD0	B62FD53EF497CE9F3F4B3C1FC0EF920698DC48D9	979B9D9484195DFA3190BB13F2E7F60EDBCC95297AA47505A0CAA0FD35DFD31F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8F6908A3C2F22EE306CC55D7CFA08320	6E286485E0EEDAB7D978493911F9E6F1621E4138	6B287EB4BFE5B551923F3401F6535E9181670F2B2E8967224CDD26BCB26C9B7E
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe.config	XML 1.0 document, ASCII text, with CRLF line terminators	86C62D84005BCFA45EDE51C9DA4DEB4A	BCAECB7863D7775990D0D6714582992E0BA618A3	0C51BDC0248DCDF43FEBB0DFDF03C53B04B9201BAB665DBFF48F7ACF5919394F
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	432F18D0AB92CE5F3D072E4B288A53CF	2A63690A92F0B5FDE276FFDE070FD7220C59FCB3	1AE20B2CF8929D5BFDCA90848E2D56616B5DBB9DE8B5FE311043CE82C7645337
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRIMG1.BMP	PC bitmap, Windows 3.x format, 497 x 63 x 24, image size 93996, cbSize 94050, bits offset 54	8EDCCEB1AB1209C16C36677FFC242F05	FE2BA3B05A22C0EF9638A61DEFDC72D835B12B23	27937B5E40F1981EC50A03A12276AB7812D41475AE6862ACFE4F596194364DBD
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRIMG1.JPG	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3	AC40DED6736E08664F2D86A65C47EF60	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRIMG2.BMP	PC bitmap, Windows 3.x format, 497 x 63 x 24, image size 93996, cbSize 94050, bits offset 54	8EDCCEB1AB1209C16C36677FFC242F05	FE2BA3B05A22C0EF9638A61DEFDC72D835B12B23	27937B5E40F1981EC50A03A12276AB7812D41475AE6862ACFE4F596194364DBD
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRIMG2.JPG	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3	AC40DED6736E08664F2D86A65C47EF60	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRIMG3.BMP	PC bitmap, Windows 3.x format, 497 x 362 x 24, image size 540104, cbSize 540158, bits offset 54	CD6B4F5490483B9D1BEB9600625DAC28	35F9077719C48D31A0BD45EA08761A75E6139285	3F8A8C8698CECE5CEB6B96062B5C7ADE7CAB8375F8878D40E51E8CFD413321E9
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCF0D70F428B081937103D32889535B8	A703030F601E5840D4718D570C4F59A4FF735158	B1D22E20B8225402B76387421D0F1E10986724D4D9DAC1441DE2530507AA913C
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\uni5359.tmp	data	A2342EB6351E213C49376466FCDD13D7	C7E420AB8AC0CC037EC7F9B624397A0B16F8E46A	774DB386708BCC5D84E0904891F4DD7A8127B8604CA2DE30C128FFDEEF03A364
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\uninstall.dat	data	0A280BE7674243172A79EC1C565BEBEB	B36DAC0496253AB204329B4E5B3829BE5B04DB93	270419C180F45EC297BCB1033DC6AAD12551E83EA3601C14AD2F05329E65EAAF
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\uninstall.xml	XML 1.0 document, ISO-8859 text, with CRLF line terminators	C840221BCDC6C47F709CDCF50665AF88	14AC28C3249812CB0162B67860AF476D46CB7BB9	51DE2BA8F79BF1C90EAEDB24AD6B3F99AFE5373810794BDDC3E4EE4EC52DD56D
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1383AA8BAD7B2C430839209304934705	5C987461E07F65E39AF2DF880247A96CA75283B3	EFFD37E264E1879C40D23BE66A29C47C41FC9EE4621BDBFFDBE39D4662FEDC39
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	36C233799D0AFFE668740A4734B11700	04C806BE9777F03F58D0B75EDB18B621089EFA5B	436D028B7CEE2B89F7AFEFE00FD45792256F48ABBB2E70D98174D6CBAB1C51B1
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	3FE7C92DBA5C9240B4AB0D6A87E6166A	7980D7DFFC073515B621834246DDA33AB00C308D	A7818C1E0DAD1CBBA4D17809688887ADEEAFE940A3CB53A6AEABDFCD196F7258
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D3350A3EE88C13680AD45EF541D09477	F4E5D24B36DAE1FB8C1E96D55FE1C288E88EBA29	438084267B38D339216374FEA2A5509D7C9EA404A0AA5EE47E07C8213DF76FBF
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF Update Client.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue May 12 05:25:19 2020, mtime=Tue May 12 05:25:19 2020, atime=Tue Apr 7 04:21:48 2020, length=1240440, window=hide	4C51C90793ADAF5F118981E0940DC04B	A706B4FC445E3A15695ED5DFE2D9EE2E6D75A54E	DFFCF6B6C01D2D729EAE8697DF161183E782427BEF01BC0420FA600A03DE8495
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue May 12 09:17:13 2020, mtime=Fri Jan 8 11:41:52 2021, atime=Fri Jan 8 11:39:11 2021, length=5014064, window=hide	BBDEC950CEDC99C208FD66FA617EAFF1	927469A379D386B51E1A90AC21A3F9FB93EA1860	197901CEDA3A4DDA7CC14AA42A2EEDBBE2B7DFE23D2BD9297F656DEEC2969752
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\Uninstall PSI-CONF.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 8 06:46:20 2024, mtime=Tue Oct 8 06:46:20 2024, atime=Tue Oct 8 06:46:20 2024, length=580096, window=hide	96755DFBF5600F5E8500556ACB657531	0B1ECC10462599FE0109984FB77C24F7120C6E66	AE35054F65AB07DA73BF801EA81627840B699B4CB3769DC4B81B0AAEB0DF55EC
C:\ProgramData\Phoenix Contact\PSIConfSoftware\FactoryDefinedConnectionSets1081818.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	66F8939138E6B35C3322BF752AD0207B	FF3F6F4343370569AB9160CF5E282EABE59DC07B	B3524388D1C8BBEF0D3245695F00BC9A4545681231D3CF393EFBED713AEB171D
C:\ProgramData\Phoenix Contact\PSIConfSoftware\FactoryDefinedConnectionSets2901540.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	6BC07CADA6CD4C6EAB08BE09A438354C	2653E7F602FDDE3761AD4F6AE3FB2C523C7C6CD4	06A9416E1FB030FCEA1A7C4C14696498E7FF373EFD1828F9E78DA905BDA61E10
C:\ProgramData\Phoenix Contact\PSIConfSoftware\FactoryDefinedConnectionSets2901541.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	1BA8E4F7E8D2B29873DDC764ACD892F0	1EA6C93B7A696E83B1FC051D70BAFBDF7F9AF3C4	62DA65EF0F747076EE0B6DB13A649B2904765E2BA2148B75A9441CAE1CF04C2B
C:\ProgramData\Phoenix Contact\PSIConfSoftware\FactoryDefinedConnectionSets2904909.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	F5278BDB2DB399BD0B36F6CFABB007A5	4C8E9D85BC04228A67E9FD0F43576A89B3528A80	456CF3344BADEE47B6AFB7F10E31E38BB74B27E28479B27A3890D4CF33A19A3A
C:\ProgramData\Phoenix Contact\PSIConfSoftware\PSI-CONF_Update.SAV	Generic INItialization configuration [Server]	8F4D7E3B101F4AAADD41CEB7BB3058DD	9F0F3773CA7C44258C4F665AFD4F2C1FA3E9F71C	9715090DD109174E22F773DA9398930FCA9783AC9C834B2968310B1ABBC05544
C:\ProgramData\Phoenix Contact\PSIConfSoftware\ProjectData.SAV	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	92058E75010134C9EC8E4F915E0ED60B	2614318A25119ACDB5D3CBEE7C3A364D97FF78C3	31F8C07D3DD6E3D8F6C90E069D08317FCB53776666CC42BA567490E94F4E8A0B
C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt	ASCII text, with CRLF line terminators	25D0E6C1C13BF1873DDEE6C6E7C6A9DE	63F733A35A9894212F761910CD638EC7A96DE548	9A7E71DA0F07ED9678FED6B2AD85F79ECB949BC2389CB0433DDF8BF0D0164FC8
C:\Users\Public\Desktop\PSI-CONF.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=0, Archive, ctime=Tue May 12 09:17:13 2020, mtime=Tue Oct 8 06:46:52 2024, atime=Fri Jan 8 11:39:11 2021, length=5014064, window=hide	FFF6754A890E75F326A3F85E9110B47A	8BBE01D87F69F4C9AE7943CD0A03C86157D1BBFD	39CFB15CF9BB2725120814E3BE8DF03E5738C24250FFC4262650FCF15EEE47B2
C:\Users\user\AppData\Local\Temp\CSCF17D.tmp	MSVC .res	3B6322B76724299A0E21A877A355F6E9	1DFCF47508E6197F0E8FFFBB389DDE68E4F6FA23	966416F4E86A9E16CA64322A3C22BE70DBB256C65597AB312A04CD77B6EF82E3
C:\Users\user\AppData\Local\Temp\RESF17E.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x40e, 9 symbols, created Tue Oct 8 07:47:00 2024, 1st section name ".debug$S"	75D3390FB8EF9C312DFADFEBC9C6DFCA	12C88155F3528AA605E7A0F635DDAF3E3A00C98D	8894C8A6A7CBBA60F7D13EDF793F071265EAFFA32714ED16438BA08ABD7AE33F
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP	PC bitmap, Windows 3.x format, 497 x 63 x 24, image size 93996, cbSize 94050, bits offset 54	8EDCCEB1AB1209C16C36677FFC242F05	FE2BA3B05A22C0EF9638A61DEFDC72D835B12B23	27937B5E40F1981EC50A03A12276AB7812D41475AE6862ACFE4F596194364DBD
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3	AC40DED6736E08664F2D86A65C47EF60	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP	PC bitmap, Windows 3.x format, 497 x 63 x 24, image size 93996, cbSize 94050, bits offset 54	8EDCCEB1AB1209C16C36677FFC242F05	FE2BA3B05A22C0EF9638A61DEFDC72D835B12B23	27937B5E40F1981EC50A03A12276AB7812D41475AE6862ACFE4F596194364DBD
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3	AC40DED6736E08664F2D86A65C47EF60	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP	PC bitmap, Windows 3.x format, 497 x 362 x 24, image size 540104, cbSize 540158, bits offset 54	CD6B4F5490483B9D1BEB9600625DAC28	35F9077719C48D31A0BD45EA08761A75E6139285	3F8A8C8698CECE5CEB6B96062B5C7ADE7CAB8375F8878D40E51E8CFD413321E9
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCF0D70F428B081937103D32889535B8	A703030F601E5840D4718D570C4F59A4FF735158	B1D22E20B8225402B76387421D0F1E10986724D4D9DAC1441DE2530507AA913C
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\PXC_USB-Driver.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	B09B52E58A7F36D01BD772456F9205F6	74DA05E855124FF8F5D1FBC392C7B267E0CFE875	6CBFAF72E4EADD5FE61AA610E8EA3085116375F06B9220436CD4A6BA5486ABFE
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A6EA5C9B61F3DD92B3833AE2DD3FA72F	C840D4BB4F9BCF9E046E5ED69DEE804E651A14D8	652348D6E96B1F9426C2B9610BC87FE306DB5D92BA84D0756AB0FA85DCE64657
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat	data	0ABEAA65E4293126C5842BDE76E379A1	63F8E8E7EB0C52387F7B5FB1BD1419DD6A260CD1	2790F30B360799EE24CC2F68511F4210F77CEC3BFAD9186E266DA58784F40469
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	3FE7C92DBA5C9240B4AB0D6A87E6166A	7980D7DFFC073515B621834246DDA33AB00C308D	A7818C1E0DAD1CBBA4D17809688887ADEEAFE940A3CB53A6AEABDFCD196F7258
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setup.ini	Generic INItialization configuration [Driver Version]	D84921B74EB52ABBBBC4FF89D3E31DC7	9E133216F50AE3AB40A564D5580318EB63F8B33A	230B4F3AE7D7FC835FF2402929DC8661D61E3B28961ABB8EF98DB697C5B4D7B4
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setup.iss (copy)	Generic INItialization configuration [File Transfer]	8EEE855357E95B370EABAECA264F213A	27F5C298AA895AD6E886E737BFF653E60BF7CDF8	B64875316A151F71FAB800A3416C701DADA1617D21E14B0BE8EDC07902E56A3F
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setupWin2K.iss	Generic INItialization configuration [File Transfer]	488A9F4A8C50E1B27A3412360BD2804E	5AB6E1BBE12ECFBEBD16925DAC3321B9179F94A9	5DD7FB9AE36DAF2531F3A9360223E97E585C241910670266783F5BB313E13A43
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setupWin7.iss	Generic INItialization configuration [File Transfer]	8EEE855357E95B370EABAECA264F213A	27F5C298AA895AD6E886E737BFF653E60BF7CDF8	B64875316A151F71FAB800A3416C701DADA1617D21E14B0BE8EDC07902E56A3F
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\slabvcp.cat	data	FB782004A59BF05EDAFEEE9CEB1AB567	0DDF1D5026BCAC265294F2BA111A85A3B01A7BE4	6E82E523B5CEC089A9C660B9BD73FC235CC2001D3E0689DB8D637F5455CA8F66
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\slabvcp.inf	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4DA5DA193E0E4F86F6F8FD43EF25329A	68A44D37FF535A2C454F2440E1429833A1C6D810	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	PE32+ executable (native) x86-64, for MS Windows	7799106FEE728B907A86D9C9751E02D5	F35320E535159D43B598C7C11684DB05BE4196A6	EE85E8D3CF3819DB28221BFC103DE8DF0E14E1878CECF54E8CD8C161B0E0AF3C
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	PE32+ executable (native) x86-64, for MS Windows	447209C314E6E0D26E01962075802B18	DD8AF2E3AA38D2D6971568EBF2CF41848E0091F5	AB1AC5854EB0EDF66025609CF9CB5639014C264327F4DEE1223BF7F6E1BD2D15
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A9970042BE512C7981B36E689C5F3F9F	B0BA0DE22ADE0EE5324EAA82E179F41D2C67B63E	7A6BF1F950684381205C717A51AF2D9C81B203CB1F3DB0006A4602E2DF675C77
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	PE32 executable (native) Intel 80386, for MS Windows	3EAD8E1668CE42A0AFE41D56E7157BCF	C164EE1014A9D64BEFCDB46AB4B1C67C1F23E47B	90A1AA6372356046B28C079954458F42849779FFC48C93AF0549A7673B276EB3
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	PE32 executable (native) Intel 80386, for MS Windows	688F8D8A147F04169139A681A1AA0035	5D05647EBD0052433CB4574F5EC614E404F71314	4857A353D5A3A390A134999268CF05F09C82E5E881822A43984F8BC74E7D00B1
C:\Users\user\AppData\Local\Temp\rqco3gp6.0.cs	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	DC5B47768E17E1487214C7E29396E4AC	45CDF0CFC120D8AF8EB8D02276AD9EF2F9D436A3	9587AD0B8AF0A18B61BA6DB0FA385DD6000AF388DCF6253CF0085D5ECFD432DC
C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline	Unicode text, UTF-8 (with BOM) text, with very long lines (596), with no line terminators	0446FDF8D7C480DEC9680B7C301C3EB7	BBF6BFB0CD7EEEFECFEC2BD51FC9B99C75671364	C6F50D4A82E2FAB0ABA426EA7DFAF419834DE741E01B3168E0E4B5E1976D084C
C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	26140D7363DAEE905038C859A19E5623	83B957B3EF1EBEA69719675C7228549348488E79	6C0BADCDA1DDD5A8729152E791E09D52DBE9248B0AC38516C433617D89FF0E56
C:\Users\user\AppData\Local\Temp\rqco3gp6.out	Unicode text, UTF-8 (with BOM) text, with very long lines (679), with CRLF line terminators	55B93B1445910E1F9B0995A0EB3D492E	F9D4E3D1EF4303734DE42D54C3F6C70460BDF7F7	FFA09B59F6FC4ABA58F595021FC8CC4263B682F0862C6CB16C4C55AC2D02CDE3
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\SET152A.tmp	data	FB782004A59BF05EDAFEEE9CEB1AB567	0DDF1D5026BCAC265294F2BA111A85A3B01A7BE4	6E82E523B5CEC089A9C660B9BD73FC235CC2001D3E0689DB8D637F5455CA8F66
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\SET154A.tmp	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.cat (copy)	data	FB782004A59BF05EDAFEEE9CEB1AB567	0DDF1D5026BCAC265294F2BA111A85A3B01A7BE4	6E82E523B5CEC089A9C660B9BD73FC235CC2001D3E0689DB8D637F5455CA8F66
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.inf (copy)	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	PE32+ executable (native) x86-64, for MS Windows	7799106FEE728B907A86D9C9751E02D5	F35320E535159D43B598C7C11684DB05BE4196A6	EE85E8D3CF3819DB28221BFC103DE8DF0E14E1878CECF54E8CD8C161B0E0AF3C
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	PE32+ executable (native) x86-64, for MS Windows	447209C314E6E0D26E01962075802B18	DD8AF2E3AA38D2D6971568EBF2CF41848E0091F5	AB1AC5854EB0EDF66025609CF9CB5639014C264327F4DEE1223BF7F6E1BD2D15
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	4DA5DA193E0E4F86F6F8FD43EF25329A	68A44D37FF535A2C454F2440E1429833A1C6D810	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	4DA5DA193E0E4F86F6F8FD43EF25329A	68A44D37FF535A2C454F2440E1429833A1C6D810	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	PE32+ executable (native) x86-64, for MS Windows	7799106FEE728B907A86D9C9751E02D5	F35320E535159D43B598C7C11684DB05BE4196A6	EE85E8D3CF3819DB28221BFC103DE8DF0E14E1878CECF54E8CD8C161B0E0AF3C
C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	PE32+ executable (native) x86-64, for MS Windows	447209C314E6E0D26E01962075802B18	DD8AF2E3AA38D2D6971568EBF2CF41848E0091F5	AB1AC5854EB0EDF66025609CF9CB5639014C264327F4DEE1223BF7F6E1BD2D15
C:\Windows\INF\oem0.PNF	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1158 "Signature", at 0x68 WinDirPath, LanguageID 809	64026D01A971058E168968A009B388A4	88FE1CD729B95B7A80909EEFBD1B7D7ED171FFAB	59996A95EBA32B12A5C2768695D0B99097B21BA1BFFBABB6C2D2B4B186AD9DE3
C:\Windows\INF\oem1.PNF	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1100 "Signature", at 0x68 WinDirPath, LanguageID 809	F6522A824FF0E6517592760FAD67B4A2	0BB8E72584D0E26990592F1FF005931F1C982E8B	DCD864FDF73D20AD3A3259BBFB5B983DA0C27BBC8754BA91D5B03B1F23F2E83B
C:\Windows\INF\oem3.PNF	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1210 "Signature", at 0x68 WinDirPath, LanguageID 809	B5D8129EAC382A3E8DCF89EB99CAEFF7	EE1AC4DC8E468A336922231F2E07E5C8F2C64FCF	1270052B78BE63F9ABB7791DE2E1722807F2050117887C8CE91622032BCADB55
C:\Windows\INF\oem4.inf	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Windows\INF\setupapi.dev.log	Generic INItialization configuration [BeginLog]	319B2E529C761070C507DAB4E1B66BC3	C750480AB70296C5584662E1EDDCC42D065DA719	59A90D237BE9C50DDE49554AE583978B7FD3C890E1DF7479479B8D35E0218743
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\SET18A5.tmp	data	FB782004A59BF05EDAFEEE9CEB1AB567	0DDF1D5026BCAC265294F2BA111A85A3B01A7BE4	6E82E523B5CEC089A9C660B9BD73FC235CC2001D3E0689DB8D637F5455CA8F66
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\SET18B5.tmp	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat (copy)	data	FB782004A59BF05EDAFEEE9CEB1AB567	0DDF1D5026BCAC265294F2BA111A85A3B01A7BE4	6E82E523B5CEC089A9C660B9BD73FC235CC2001D3E0689DB8D637F5455CA8F66
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf (copy)	Windows setup INFormation	6FA46FEDF1CBE21B587F21286466D8A6	39A9B9E3887960581A5F3E4DAA497F9111B7F74A	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	PE32+ executable (native) x86-64, for MS Windows	7799106FEE728B907A86D9C9751E02D5	F35320E535159D43B598C7C11684DB05BE4196A6	EE85E8D3CF3819DB28221BFC103DE8DF0E14E1878CECF54E8CD8C161B0E0AF3C
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	PE32+ executable (native) x86-64, for MS Windows	447209C314E6E0D26E01962075802B18	DD8AF2E3AA38D2D6971568EBF2CF41848E0091F5	AB1AC5854EB0EDF66025609CF9CB5639014C264327F4DEE1223BF7F6E1BD2D15
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	PE32+ executable (DLL) (console) x86-64, for MS Windows	4DA5DA193E0E4F86F6F8FD43EF25329A	68A44D37FF535A2C454F2440E1429833A1C6D810	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	4DA5DA193E0E4F86F6F8FD43EF25329A	68A44D37FF535A2C454F2440E1429833A1C6D810	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	PE32+ executable (native) x86-64, for MS Windows	7799106FEE728B907A86D9C9751E02D5	F35320E535159D43B598C7C11684DB05BE4196A6	EE85E8D3CF3819DB28221BFC103DE8DF0E14E1878CECF54E8CD8C161B0E0AF3C
C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	PE32+ executable (native) x86-64, for MS Windows	447209C314E6E0D26E01962075802B18	DD8AF2E3AA38D2D6971568EBF2CF41848E0091F5	AB1AC5854EB0EDF66025609CF9CB5639014C264327F4DEE1223BF7F6E1BD2D15
C:\Windows\System32\catroot2\dberr.txt	ASCII text, with CRLF line terminators	8C6F34080B4A50183A33FA4CCAA78207	DAF16DC9865A82A8C81F1B06B6CAB1BB148C49CA	3682366FA5D3D0B77BCBFB5BD91A5DD3865CC3C2CAC090466676BD86431BD7BE
C:\Windows\assembly\Desktop.ini	Windows desktop.ini	F7F759A5CD40BC52172E83486B6DE404	D74930F354A56CFD03DC91AA96D8AE9657B1EE54	A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Windows Analysis Report PSI-CONF_Setup_v2.76.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PSI-CONF_Setup_v2.76.exe