"" opened "%TEMP%\nswF06A.tmp\System.dll" with delete access "" opened "%TEMP%\nswF06A.tmp\modern-wizard.bmp" with delete access
"" opened "%TEMP%\nswF06A.tmp\modern-header.bmp" with delete access "" opened "%TEMP%\nswF06A.tmp\ioSpecial.ini" with delete access "" opened "%TEMP%\nswF06A.tmp\InstallOptions.dll" with delete access "" opened "C:\Ross-Tech\VCDS\DPInst32.exe" with delete access "" opened "C:\Ross-Tech\VCDS\VCDS-32.exe" with delete access "" opened "C:\Ross-Tech\VCDS\AutoScan.txt" with delete access
"" opened "C:\Ross-Tech\VCDS\AutoScan-old.txt" with delete access "" opened "C:\Ross-Tech\VCDS\AutoScan-older.txt" with delete access "" opened "C:\Ross-Tech\VCDS\labels" with delete access "" opened "C:\Ross-Tech\VCDS\labels.old" with delete access "" opened "C:\Ross-Tech\VCDS\labels.older" with delete access "" opened "%TEMP%\nswF06A.tmp" with delete access "" opened "%TEMP%\nsg41DC.tmp" with delete access Possibly checks for known debuggers/analysis tools Source Hybrid Analysis Technology relevance 7/10 Malicious artifacts seen in the context of a contacted from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show from DPInst.EXE (PID: 3320) ( Show ( Show ( Show ( Show ( Show ( Show ( Show ( Show ( Show ( Show ( Show Stream) "" wrote 4 bytes to a remote process "C:\Ross-Tech\VCDS\VCDS.EXE" (Handle: 516) "" wrote 52 bytes to a remote process "C:\Ross-Tech\VCDS\VCDS.EXE" (Handle: 516) "" wrote 32 bytes to a remote process "C:\Ross-Tech\VCDS\VCDS.EXE" (Handle: 516) "" wrote 52 bytes to a remote process "C:\Ross-Tech\VCDS\DPInst.EXE" (Handle: 592) "" wrote 32 bytes to a remote process "C:\Ross-Tech\VCDS\DPInst.EXE" (Handle: 592) "" wrote 4 bytes to a remote process "C:\Ross-Tech\VCDS\DPInst.EXE" (Handle: 592) "" wrote 1500 bytes to a remote process "C:\Ross-Tech\VCDS\DPInst.EXE" (Handle: 592) "" wrote 4 bytes to a remote process "%PROGRAMFILES%\Adobe\Reader 11.0\Reader\AcroRd32.exe" (Handle: 464) "" wrote 52 bytes to a remote process "%PROGRAMFILES%\Adobe\Reader 11.0\Reader\AcroRd32.exe" (Handle: 464) "" wrote 32 bytes to a remote process "%PROGRAMFILES%\Adobe\Reader 11.0\Reader\AcroRd32.exe" (Handle: 464)