Edit tour

Windows Analysis Report
PSI-CONF_Setup_v2.76.exe

Overview

General Information

Sample name:	PSI-CONF_Setup_v2.76.exe
Analysis ID:	1528774
MD5:	4bf5ec6ea419625fd7fbc9d7df84b5f4
SHA1:	4f530013dcc3d2393abb006ca66834f558036c89
SHA256:	9162049d459e334a9721e7e770bf2e1e64d60ebccfbf43d727e8975db6c9df00
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	47
Range:	0 - 100

Signatures

Installs new ROOT certificates

Sigma detected: Dot net compiler compiles file from suspicious location

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables driver privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

PSI-CONF_Setup_v2.76.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" MD5: 4BF5EC6EA419625FD7FBC9D7DF84B5F4)

irsetup.exe (PID: 6524 cmdline: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003" MD5: 3FE7C92DBA5C9240B4AB0D6A87E6166A)

Phoenix Contact VCPInstaller.exe (PID: 4668 cmdline: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe" MD5: A6EA5C9B61F3DD92B3833AE2DD3FA72F)

icacls.exe (PID: 6308 cmdline: "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PSI-CONF.exe (PID: 4432 cmdline: "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe" MD5: 8F6908A3C2F22EE306CC55D7CFA08320)

csc.exe (PID: 3668 cmdline: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline" MD5: 953344403C93E6FBB8C573273D645242)

conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 5604 cmdline: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp" MD5: 3FDA06F8AA40293397F58A687EEABC1F)

drvinst.exe (PID: 5340 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.inf" "9" "4f7b0f4b7" "0000000000000148" "WinSta0\Default" "0000000000000168" "208" "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

rundll32.exe (PID: 2576 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe, ProcessId: 4432, TargetFilename: C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe, ParentCommandLine: "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe", ParentImage: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe, ParentProcessId: 4432, ParentProcessName: PSI-CONF.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline", ProcessId: 3668, ProcessName: csc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt

Jump to behavior

PE / OLE file has a valid certificate

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Spreading

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Source: irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.comERROR:
Source: irsetup.exe, 00000002.00000003.2826640586.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826600914.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837708313.000000000441E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2840976065.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826509562.0000000004753000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2842645729.000000000442D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837620517.0000000004406000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841318428.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841359508.0000000004429000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phoenixcontact.com/
Source: irsetup.exe, 00000002.00000003.2841085831.0000000004474000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828743366.000000000446C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828671762.0000000004468000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828415199.000000000445D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phoenixcontact.com/EditField)_0
Source: irsetup.exe, 00000002.00000003.2825182735.00000000052F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://select.phoenixcontact.com/phoenix/dwl/dwl01.jsp?from=psiconf&file=

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\SET152A.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\SET18A5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\slabvcp.cat	Jump to dropped file

System Summary

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem0.PNF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem1.PNF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Windows\INF\oem3.PNF	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_d5d1b7de54203434	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_d5d1b7de54203434\x64	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	File created: C:\Windows\assembly\Desktop.ini

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_0040525A	0_2_0040525A
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00403FB0	0_2_00403FB0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ADE22	2_3_006ADE22
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006ABBEA	2_3_006ABBEA
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F62825	12_2_00007FF848F62825
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F73B3E	12_2_00007FF848F73B3E
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F6F35C	12_2_00007FF848F6F35C
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F72FBD	12_2_00007FF848F72FBD
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F62953	12_2_00007FF848F62953
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: 12_2_00007FF848F6D6E9	12_2_00007FF848F6D6E9

Enables driver privileges

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe

Process token adjusted: Load Driver

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: String function: 00007FF848F65810 appears 39 times
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Code function: String function: 00007FF848F64E70 appears 37 times

PE file contains executable resources (Code or Archives)

Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_DIALOG type: COM executable for DOS
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: Phoenix Contact VCPInstaller.exe.2.dr	Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: WdfCoInstaller01009.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1639755 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression

Sample file is different than original file name gathered from version info

Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849394316.000000000040E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesuf80_launch.exe2 vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849863551.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_rt.exeT vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849935303.0000000002130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_launch.exe2 vs PSI-CONF_Setup_v2.76.exe
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000003.2848630429.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf80_rt.exeT vs PSI-CONF_Setup_v2.76.exe

Uses 32bit PE files

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: irsetup.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9887366134129213
Source: WdfCoInstaller01009.dll.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9985629322738576

Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: sus24.expl.evad.winEXE@18/192@0/0

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_004018EE lstrlenA,GetCurrentDirectoryA,_memset,GetTempPathA,lstrlenA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,DeleteFileA,RemoveDirectoryA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,lstrcpyA,lstrcpyA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

0_2_004018EE

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\Public\Desktop\PSI-CONF.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSI-CONF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: Yara match

File source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe, type: DROPPED

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Command line argument: /~DBG

0_2_0040121E

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

File read: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe "C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe"
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.inf" "9" "4f7b0f4b7" "0000000000000148" "WinSta0\Default" "0000000000000168" "208" "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe "C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: pnpui.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Section loaded: msls31.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cscomp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File written: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\setup.ini

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: Install
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: Next
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Automated click: I accept the terms in the license agreement

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Window detected: Number of UI elements: 11

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

PE / OLE file has a valid certificate

Source: PSI-CONF_Setup_v2.76.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: PSI-CONF_Setup_v2.76.exe

Static file information: File size 46190112 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Data Obfuscation

Compiles C# or VB.Net code

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00407054 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_00407054

PE file contains sections with non-standard names

Source: silabenm.sys.2.dr	Static PE information: section name: PAGESENM
Source: silabser.sys.2.dr	Static PE information: section name: PAGESRP0
Source: silabser.sys.2.dr	Static PE information: section name: PAGESER
Source: silabenm.sys0.2.dr	Static PE information: section name: PAGESENM

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00403F99 push ecx; ret	0_2_00403FAC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_3_006AB520 pushad ; ret	2_3_006ABBE9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\drvinst.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\uninstall.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd			Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\ProgramData\Phoenix Contact\PSIConfSoftware\SetupLog.txt

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\PSI-CONF Update Client.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phoenix Contact\PSI-CONF\Uninstall PSI-CONF.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Windows\System32\drvinst.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 1A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 3A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Memory allocated: 1BA10000 memory commit \| memory reserve \| memory write watch

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Window / User API: threadDelayed 1087

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\de\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\de\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rqco3gp6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\zh-CHS\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541_HG.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ru\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\de\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET17E6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\zh-CHS\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\zh-CHS\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\de\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\zh-CHS\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\zh-CHS\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\de\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\de\PCID2901541.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF AutoUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\de\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\SET14EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\x64\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\de\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\zh-CHS\PCID2702878.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PhoenixResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\zh-CHS\PCID2708517.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\de\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\zh-CHS\PCID2313643.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\zh-CHS\PCID2313106.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\zh-CHS\PCID2901540.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\zh-CHS\PCID2313559.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ru\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\zh-CHS\PCID2702184.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\de\PCID2702863.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\ru\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\de\PCID2313449.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Uninstall\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\GetActiveProxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabenm.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\SET1865.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\zh-CHS\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\de\PCID2313656.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\silabser.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\zh-CHS\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\de\PCID2313669.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\de\PCID2313533.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\zh-CHS\PSI-CONF.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\de\PCID2904909.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\x64\WdfCoinstaller01009.dll (copy)	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-4744

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Thread sleep count: Count: 1087 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563ommonProgramFiles = "%CommonProgramFiles
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc = "Microsoft Hyper-V SCSI Controller"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Activation.DeviceDesc = "Microsoft Hyper-V Activation Component"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcShutdown.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVS
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2297697663.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563=
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc = "Microsoft Hyper-V Fibre Channel HBA"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2266698107.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 Hyper-V VF
Source: irsetup.exe, 00000002.00000003.2510425719.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_eth.DeviceDesc = "Microsoft Hyper-V Ethernet Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Heartbeat.DeviceDesc = "Microsoft Hyper-V Heartbeat"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shutdown.DeviceDesc = "Microsoft Hyper-V Guest Shutdown"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2266698107.0000000000565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; ConnectX-4 non Hyper-V VF
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMBusHid.DeviceDesc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %VSS.DeviceDesc% = VmIcVss, vmbus\{2450ee40-33bf-4fbd-892e-9fb06e9214cf}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_gsm.DeviceDesc = "Microsoft Hyper-V GSM MBB Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter Name"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Network Adapter Name
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563b
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309686444.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DynMemVsc.DeviceDesc = "Microsoft Hyper-V Dynamic Memory"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TimeSync.DeviceDesc = "Microsoft Hyper-V Time Synchronization"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563Y
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Integration Components"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2259785251.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2279239071.0000000002831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GenericScsiVmLun = "Hyper-V LUN"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VSS.DeviceDesc = "Microsoft Hyper-V Volume Shadow Copy"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcHeartbeat.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; Hyper-V Synthetic Video driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563w
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddReg=VmIcVss.HW.AddReg
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c = "Microsoft Hyper-V Activation Component"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; INF file for installing the Hyper-V crashdump driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id.DeviceDesc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.00000000027DA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GuestInterface.DeviceDesc = "Microsoft Hyper-V Guest Service Interface"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}",,0x0,"Microsoft-Windows-Hyper-V-Netvsc"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F file for installing the Hyper-V crashdump driver.
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rdv.DeviceDesc = "Microsoft Hyper-V Remote Desktop Virtualization"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %Heartbeat.DeviceDesc% = VmIcHeartbeat, vmbus\{57164f39-9115-4e78-ab55-382f3bd5422d}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcHeartbeat.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcShutdown.NT]
Source: PSI-CONF_Setup_v2.76.exe, 00000000.00000002.2849725983.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_80n
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId = "Microsoft Hyper-V SCSI Controller Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Input Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperVNetworkAdapterName = "Hyper-V Network Adapter N%m
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DeviceDesc_NULL = "Microsoft Hyper-V Fibre Channel HBA (not supported)"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT.HW]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RdpD.DeviceDesc = "Microsoft Hyper-V Remote Desktop Data Channel"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2290813674.00000000027E2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_ppp.DeviceDesc = "Microsoft Hyper-V VPN Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2282968382.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}\ChannelReferences\1",,0x0,"Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Network Adapter Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563x
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvCrash.DeviceDesc = "Microsoft Hyper-V Crashdump Driver"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RdpC.DeviceDesc = "Microsoft Hyper-V Remote Desktop Control Channel"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %Shutdown.DeviceDesc% = VmIcShutdown, vmbus\{b6650ff7-33bc-4840-8048-e0676786f393}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Desc = "Microsoft Hyper-V Guest Service Interface"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; This is the INF file for installing the Hyper-V S3 Cap driver
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.HW.AddReg]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [VmIcVss.NT.Services]
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HyperKbd.DeviceDesc = "Microsoft Hyper-V Virtual Keyboard"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SynthVid.DeviceDesc = "Microsoft Hyper-V Video"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc.DeviceDesc = "Microsoft Hyper-V Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","OwningPublisher",0x0,"{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2297697663.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","ChannelAccess",0x0,"O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ; INF file for installing Hyper-V keyboard driver
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2308880687.000000000059C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wlan, ppip, vmnetextension"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Isolation",0x00010001,0
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289874462.00000000029B1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2292021624.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321398589.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Video Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324784219.000000000282D000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2299975086.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323438455.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322273255.000000000282C000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2306767874.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId = "Microsoft Hyper-V Fibre Channel HBA Installation Disk #1"
Source: irsetup.exe, 00000002.00000003.2510425719.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323679118.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301077541.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2271536312.0000000000533000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2302146162.00000000027E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Crash Dump Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Enabled",0x00010001,0
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2323611546.00000000027B2000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2289335943.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2301023666.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322455462.00000000027AB000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309945969.00000000027AA000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2275114474.0000000002780000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2291543255.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KvpExchange.DeviceDesc = "Microsoft Hyper-V Data Exchange"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2320101206.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2321656088.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NE
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t Hyper-V Virtual Keyboard"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2309686444.00000000027F6000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300308294.00000000029E1000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2280765136.0000000000525000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2322425727.0000000000507000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Dynamic Memory Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.00000000027A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sc = "Microsoft Hyper-V Input"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: S3CapDevice.DeviceDesc = "Microsoft Hyper-V S3 Cap"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2295813192.0000000002789000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000584000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2305972251.0000000002A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V S3 Cap Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_wifi.DeviceDesc = "Microsoft Hyper-V WiFi Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETV
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324684756.00000000027E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DiskId1 = "Microsoft Hyper-V Virtual Keyboard Installation Disk #1"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2300142790.0000000000555000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324403544.0000000002B12000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2307830794.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netvsc_mbb_cdma.DeviceDesc = "Microsoft Hyper-V CDMA MBB Network Adapter"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2298463203.0000000002781000.00000004.00000020.00020000.00000000.sdmp, Phoenix Contact VCPInstaller.exe, 00000003.00000003.2324727014.0000000002781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVS
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2316477527.00000000027F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKR, Ndi\Interfaces,FilterMediaTypes,,"vmnetextension"
Source: Phoenix Contact VCPInstaller.exe, 00000003.00000003.2260352505.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Hyper-V-NETVSC/Diagnostic","Type",0x00010001,2

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00407054 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_00407054

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00402E99 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

0_2_00402E99

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00405859 SetUnhandledExceptionFilter,	0_2_00405859
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00401000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401000
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_00407303 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00407303
Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Code function: 0_2_0040110A _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040110A

Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF17E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF17D.tmp"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} global\{7407c8d9-0d94-0b41-8543-eb54da946896} c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} global\{7407c8d9-0d94-0b41-8543-eb54da946896} c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf c:\windows\system32\driverstore\temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat			Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_0040605D cpuid

0_2_0040605D

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: GetLocaleInfoA,

0_2_0040783D

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

Code function: 0_2_00405F79 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00405F79

Source: C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe

0_2_00402E99

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Windows\System32\drvinst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\46B8D8F38741CD4E839F1F6B874F58B0A87C1937 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 LSASS Driver	1 LSASS Driver	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Windows Service	21 Obfuscated Files or Information	Security Account Manager	36 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Install Root Certificate	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	11 Software Packing	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Services File Permissions Weakness	1 DLL Side-Loading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	42 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Services File Permissions Weakness	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Rundll32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PSI-CONF_Setup_v2.76.exe	0%	ReversingLabs
PSI-CONF_Setup_v2.76.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	2%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	2%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	2%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Telit\Xfp1.9.exe	0%	Virustotal	Browse
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	0%	ReversingLabs
C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.phoenixcontact.com/	0%	Virustotal		Browse
http://www.indigorose.com	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.indigorose.comERROR:	irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.phoenixcontact.com/	irsetup.exe, 00000002.00000003.2826640586.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826600914.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837708313.000000000441E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2840976065.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826509562.0000000004753000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2842645729.000000000442D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2837620517.0000000004406000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841318428.0000000004426000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2841359508.0000000004429000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://select.phoenixcontact.com/phoenix/dwl/dwl01.jsp?from=psiconf&file=	irsetup.exe, 00000002.00000003.2825182735.00000000052F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.indigorose.com	irsetup.exe, 00000002.00000002.2847956855.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2826847095.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.phoenixcontact.com/EditField)_0	irsetup.exe, 00000002.00000003.2841085831.0000000004474000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828743366.000000000446C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828671762.0000000004468000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828415199.000000000445D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828366742.0000000004453000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2828456225.0000000004466000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528774
Start date and time:	2024-10-08 09:44:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PSI-CONF_Setup_v2.76.exe
Detection:	SUS
Classification:	sus24.expl.evad.winEXE@18/192@0/0
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 98% Number of executed functions: 104 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PSI-CONF.exe, PID 4432 because it is empty
Execution Graph export aborted for target irsetup.exe, PID 6524 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll	SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi	Get hash	malicious	AteraAgent	Browse
	InstallDriver.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi	Get hash	malicious	AteraAgent	Browse
	SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	Get hash	malicious	AteraAgent	Browse
	https://dl.dell.com/FOLDER11489837M/1/DPeM_4M3XN_1.7.4_WN64_A00.exe	Get hash	malicious	Unknown	Browse
	PL23XX-M_LogoDriver_Setup_408_20220725.exe	Get hash	malicious	Unknown	Browse
	PL23XX-M_LogoDriver_Setup_408_20220725.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exe	Get hash	malicious	Unknown	Browse
	SidecarASICIDESetup.msi	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys	tconnect_HCP_Software_v301_Installer.msi	Get hash	malicious	Unknown	Browse

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\PCID2313106.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313449\PCID2313449.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313533\PCID2313533.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313559\PCID2313559.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313643\PCID2313643.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313656\PCID2313656.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313669\PCID2313669.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702184\PCID2702184.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702863\PCID2702863.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2702878\PCID2702878.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2708517\PCID2708517.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901540\PCID2901540.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2901541\PCID2901541.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2904909\PCID2904909.dll VolumeInformation
Source: C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	281736
Entropy (8bit):	6.2508448798744025
Encrypted:	false
SSDEEP:	6144:rBZe7bs9oe7zRJSk2GbGcYXZt0gBsD5xp5:VAULJv2GydXZtzBsDN5
MD5:	BE32437D1739B5538398412C511CE671
SHA1:	202B5F1E6C960F2AC18F5641BB6289DF83A6F367
SHA-256:	E22D65BD78CA58C168869BE36867F7D3A88B1C5DD1001DC4F0507DA63666A1CC
SHA-512:	D8E3EF6BA03EF9EC62BD46CFD2FA196325D322734AC0CE4310520A9D36BB95DFD02455491EB27720FDBA2B092781ADA72000B24A16BE0AC941972A659F1F5BEC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f:..i..i..i.Wi..i.Ui...i.Eui...i.Eeiq..i...i..i..i..i.Efib..i.Eti..i.Epi..iRich..i........PE..L...h..N.....................`.......{............@..................................Z.......................................j...........w...........@..............................................p1..@...................$j..@....................text............................... ..`.rdata..............................@..@.data...<`.......0..................@....rsrc....w..........................@..@........................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	664
Entropy (8bit):	3.1797904448336247
Encrypted:	false
SSDEEP:	12:DXtEki3nYAHOa5YAk9aUGiqZsiN522ryc4Bak7Ynqqn4P7PN5eHMlq5e7:SNI3g3NNNUakSnW7PNwkqi
MD5:	3B6322B76724299A0E21A877A355F6E9
SHA1:	1DFCF47508E6197F0E8FFFBB389DDE68E4F6FA23
SHA-256:	966416F4E86A9E16CA64322A3C22BE70DBB256C65597AB312A04CD77B6EF82E3
SHA-512:	EEEBD98B35A9F59E0C6858FFF813FECA38854DD628EDC58EC1B89E83AC12E93D6DAF6FCF1FAAFC1FF003B5323B7D02FC43AB38EB121C512E843ADEF371ED940E
Malicious:	false
Preview:	.... ...........................X...<...............0...........X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............L.......L.......?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...4.....F.i.l.e.V.e.r.s.i.o.n.....2...7.6...0...0.....<.....I.n.t.e.r.n.a.l.N.a.m.e...r.q.c.o.3.g.p.6...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.q.c.o.3.g.p.6...d.l.l.....8.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...2...7.6...0...0.....<.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...2...7.6...0...0.....

Process:	C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	580096
Entropy (8bit):	7.884950568875794
Encrypted:	false
SSDEEP:	12288:5gCYxPVQ1KRLLIyDASbumfbKFsdrojwSzunLEjzaQ/K1V+qr:5gCYQ1LGum4sx8Kofd/uV+w
MD5:	3FE7C92DBA5C9240B4AB0D6A87E6166A
SHA1:	7980D7DFFC073515B621834246DDA33AB00C308D
SHA-256:	A7818C1E0DAD1CBBA4D17809688887ADEEAFE940A3CB53A6AEABDFCD196F7258
SHA-512:	BD2C87B2D02B80B90F744A101BBB9294B1D90650A338BE725028E6649E46A759FA72032E80FFE911AE82B005B4D2394960E7B73CE7AD8FE3A70E8A47D2A7C98D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..A2...2...2......9.......7...........f...(.......0..........2.......2...........................3.......3...Rich2...........................PE..L....\|.J.................`....... .......0........@......................................................................................y...................................................................................{..`...................UPX0..... ..............................UPX1.....`...0...X..................@....rsrc............~...\..............@..............................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5992
Entropy (8bit):	5.5835373281452805
Encrypted:	false
SSDEEP:	96:KOvOAUHaqX2eMhdhpTCs1ojH4SvDivhacp1t1h0tHXBZYKLcJ0zx:XOAUHaq2eMhdhpTCsuz4SvDivhacpH1+
MD5:	6FA46FEDF1CBE21B587F21286466D8A6
SHA1:	39A9B9E3887960581A5F3E4DAA497F9111B7F74A
SHA-256:	32B8BDF3D6D7907AEC9FBA68B94BEF31FF5EB0597EB73C9B4FFE59B4B3CDAD69
SHA-512:	F003DDDC786885CF42D840840465D37EDE2506CD3BBDC68D7AD10B331F0F0DACDB8529043BCC0043A2632006BADD546E62CFB4CC9FE798013358603C92A7ECE3
Malicious:	false
Preview:	;/++..;..;Module Name:..;..; slabvcp.INF..;..; Copyright 2012, Silicon Laboratories..;..;Abstract:..; Installation INF for Silicon Laboratories CP210x device using KDMF Version 1.9..;..;--/....[Version]..Signature="$WINDOWS NT$"..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318}..Provider=%Provider%..DriverVer=12/10/2012,6.6.1.0..CatalogFile=slabvcp.cat......; ================= Device section =====================....[Manufacturer]..%MfgName%=SiLabs, NTamd64....[SiLabs]..%USB\VID_10C4&PID_EA60.DeviceDesc%=silabser.Dev, USB\VID_10C4&PID_EA60..%USB\VID_10C4&PID_EA70&Mi_00.DeviceDesc%=silabser.Dev, USB\VID_10C4&PID_EA70&Mi_00..%USB\VID_10C4&PID_EA70&Mi_01.DeviceDesc%=silabser.Dev, USB\VID_10C4&PID_EA70&Mi_01..%USB\VID_10C4&PID_EA71&Mi_00.DeviceDesc%=silabser.Dev, USB\VID_10C4&PID_EA71&Mi_00..%USB\VID_10C4&PID_EA71&Mi_01.DeviceDesc%=silabser.Dev, USB\VID_10C4&PID_EA71&Mi_01..%USB\VID_10C4&PID_EA71&Mi_02.DeviceDesc%=silabser.Dev, USB\VID_10C4&PID_EA71&Mi_02..%USB\VID_

Entrypoint:	0x403079
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4AF47EB7 [Fri Nov 6 19:53:27 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d2c82993d1a616abe994cabd5db7b4f8

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	02/05/2018 20:00:00 14/05/2021 19:59:59
Subject Chain	CN=Phoenix Contact GmbH & Co. KG, O=Phoenix Contact GmbH & Co. KG, L=Blomberg, S=Nordrhein-Westfalen, C=DE
Version:	3
Thumbprint MD5:	C21D408D642641DC9E3531039A9EABB1
Thumbprint SHA-1:	C4C7CFC624408FC93A1DD6544A82541682910E53
Thumbprint SHA-256:	83D416DEEAFC24EF54542FBFFA6C86FABB5AB66ED89DBA3B05886EB56DD82FB7
Serial:	0A7E5C8B1CAC8FEE5101A80D6746D546

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb02c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x706c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2c0aff0	0x1e30
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xac80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x70a4	0x8000	a8dbcac095aef6f1ff0f56e91c5abc15	False	0.552093505859375	data	6.153199000714585	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2882	0x3000	efb6029b9a5f70171975f6b5a16c78ce	False	0.318603515625	data	4.970546321524819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1928	0x1000	cf8d7dd9f4b828868db85743b8601f51	False	0.21533203125	data	2.2322569522970026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xe000	0x706c	0x8000	6e74cd70184e9f7f78b013f341f1745f	False	0.46356201171875	data	5.866520937272414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xe2b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0xe3d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0xe940	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0xec28	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_ICON	0xf4d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7617328519855595
RT_ICON	0xfd78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6437617260787992
RT_ICON	0x10e20	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.4097560975609756
RT_ICON	0x11488	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6391257995735607
RT_ICON	0x12330	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5276970954356847
RT_GROUP_ICON	0x148d8	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x14918	0x2e0	data	English	United States	0.45652173913043476
RT_MANIFEST	0x14bf8	0x473	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4881474978050922

DLL	Import
KERNEL32.dll	SetUnhandledExceptionFilter, lstrcmpiA, lstrcpyA, lstrlenA, _lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, UnhandledExceptionFilter, RemoveDirectoryA, DeleteFileA, GetTempPathA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, LocalFree, Sleep, HeapSize, RtlUnwind, LCMapStringW, LCMapStringA, GetStringTypeW, GetCurrentProcess, GetFileAttributesA, TerminateProcess, MultiByteToWideChar, GetStringTypeA, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, ExitProcess, HeapFree, HeapAlloc, GetCommandLineA, GetVersionExA, GetProcessHeap, GetStartupInfoA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, GetStdHandle, InitializeCriticalSection, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetLocaleInfoA
USER32.dll	TranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
ADVAPI32.dll	GetTokenInformation, OpenProcessToken
SHELL32.dll	ShellExecuteExA

Target ID:	0
Start time:	03:45:34
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe"
Imagebase:	0x400000
File size:	46'190'112 bytes
MD5 hash:	4BF5EC6EA419625FD7FBC9D7DF84B5F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:45:35
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:666146 "__IRAFN:C:\Users\user\Desktop\PSI-CONF_Setup_v2.76.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Imagebase:	0x400000
File size:	580'096 bytes
MD5 hash:	3FE7C92DBA5C9240B4AB0D6A87E6166A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	03:45:48
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\Phoenix Contact VCPInstaller.exe"
Imagebase:	0x400000
File size:	638'704 bytes
MD5 hash:	A6EA5C9B61F3DD92B3833AE2DD3FA72F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	03:46:04
Start date:	08/10/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{86984c43-8b67-194b-9c7f-ab018d349ed2}\slabvcp.inf" "9" "4f7b0f4b7" "0000000000000148" "WinSta0\Default" "0000000000000168" "208" "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0"
Imagebase:	0x7ff684650000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	03:46:05
Start date:	08/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7f7ce19-85e2-2b4e-af72-83044df6dea6} Global\{7407c8d9-0d94-0b41-8543-eb54da946896} C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.inf C:\Windows\System32\DriverStore\Temp\{2980290e-e66e-1341-aacb-9a72a3cc8330}\slabvcp.cat
Imagebase:	0x7ff6c2f30000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	03:46:49
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\icacls.exe" "C:\ProgramData\Phoenix Contact\PSIConfSoftware" /grant *S-1-1-0:(OI)M /T
Imagebase:	0xc90000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	03:46:52
Start date:	08/10/2024
Path:	C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Phoenix Contact\PSI-CONF\PSI-CONF.exe"
Imagebase:	0xe10000
File size:	5'014'064 bytes
MD5 hash:	8F6908A3C2F22EE306CC55D7CFA08320
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	14
Start time:	03:47:00
Start date:	08/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rqco3gp6.cmdline"
Imagebase:	0x400000
File size:	91'256 bytes
MD5 hash:	953344403C93E6FBB8C573273D645242
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.1%
Total number of Nodes:	1205
Total number of Limit Nodes:	25

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PSI-CONF_Setup_v2.76.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\DriverUninstaller.exe

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.cat

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\slabvcp.inf

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\WdfCoInstaller01009.dll

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabenm.sys

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x64\silabser.sys

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\WdfCoInstaller01009.dll

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabenm.sys

C:\Program Files (x86)\Phoenix Contact\Drivers\USB to UART Interface\x86\silabser.sys

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\BugReportCreator.exe

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\ICSharpCode.SharpZipLib.dll

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\BugReportGenerator\de\BugReportCreator.resources.dll

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\ModbusLib.dll

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PCID1081818.dll

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\PhoenixResourceManager.dll

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\de\PCID1081818.resources.dll

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID1081818\modbconf.xml

C:\Program Files (x86)\Phoenix Contact\PSI-CONF\Devices\PCID2313106\Firmware\Device\psiprog-1.57.exe

Windows Analysis Report
PSI-CONF_Setup_v2.76.exe

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre