hxxps://dltemp[.]ross-tech[.]com/VCDS/download/O8934p/VCDS-Release-21[.]9[.]0-Installer[.]exe

Analysis

max time kernel
496s
max time network
360s
platform
windows10_x64
resource
win10-en-20211208
submitted
08-01-2022 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dltemp.ross-tech.com/VCDS/download/O8934p/VCDS-Release-21.9.0-Installer.exe

Score

8^/10

discovery link pdf

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

VCDS-Release-21.9.0-Installer.exeDPInst.exeVCDS.exeVCDS.EXE

pid process

3980 VCDS-Release-21.9.0-Installer.exe
2124 DPInst.exe
1484 VCDS.exe
2228 VCDS.EXE

Loads dropped DLL 11 IoCs

Processes:

VCDS-Release-21.9.0-Installer.exeVCDS.exeVCDS.EXE

pid	process
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
3980	VCDS-Release-21.9.0-Installer.exe
1484	VCDS.exe
2228	VCDS.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 33 IoCs

Processes:

DrvInst.exeDPInst.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DPInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETD000.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rt-usb64.inf_amd64_936b05782467367d\RT-USB64.SYS	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETD001.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETD001.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETD002.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\RT-USB64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\HEXNET.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\SETB610.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hexnet.inf_amd64_643213b86e20194d\hexnet.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hexnet.inf_amd64_643213b86e20194d\hexnet.PNF	DPInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETCFFF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\rt-usb64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\SETB60F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rt-usb64.inf_amd64_936b05782467367d\rt-usb64.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\hexnet.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rt-usb64.inf_amd64_936b05782467367d\RT-USB64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\RT-USB64.SYS	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETD002.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rt-usb64.inf_amd64_936b05782467367d\RT-USB.DLL	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rt-usb64.inf_amd64_936b05782467367d\rt-usb64.PNF	DPInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\SETB60F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETD000.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\RT-USB.DLL	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hexnet.inf_amd64_643213b86e20194d\HEXNET.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\SETCFFF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\SETB610.tmp	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

VCDS.exeVCDS.EXE

pid	process
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
2228	VCDS.EXE
2228	VCDS.EXE

Drops file in Program Files directory 1 IoCs

Processes:

DPInst.exe

description ioc process

File created C:\PROGRA~1\DIFX\D8FA49576CEE37BC\DPInst.exe DPInst.exe

description	ioc	process
File created	C:\PROGRA~1\DIFX\D8FA49576CEE37BC\DPInst.exe	DPInst.exe

Drops file in Windows directory 8 IoCs

Processes:

DrvInst.exeDPInst.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	DPInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DPInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Installation-Instructions.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exeDPInst.exeDrvInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DPInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DPInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DPInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DPInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DPInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DPInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DPInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DPInst.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 1 IoCs

Processes:

VCDS-Release-21.9.0-Installer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings VCDS-Release-21.9.0-Installer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	VCDS-Release-21.9.0-Installer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exeAcroRd32.exe

pid	process
1016	chrome.exe
1016	chrome.exe
2620	chrome.exe
2620	chrome.exe
2052	chrome.exe
2052	chrome.exe
3004	chrome.exe
3004	chrome.exe
772	chrome.exe
772	chrome.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

VCDS-Release-21.9.0-Installer.exe

pid process

3980 VCDS-Release-21.9.0-Installer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2620 chrome.exe
2620 chrome.exe
2620 chrome.exe
2620 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeAuditPrivilege 668 svchost.exe
Token: SeSecurityPrivilege 668 svchost.exe

description	pid	process
Token: SeAuditPrivilege	668	svchost.exe
Token: SeSecurityPrivilege	668	svchost.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

chrome.exeAcroRd32.exe

pid	process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
3692	AcroRd32.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

VCDS-Release-21.9.0-Installer.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeDPInst.exeVCDS.exeVCDS.EXE

pid	process
3980	VCDS-Release-21.9.0-Installer.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
3692	AcroRd32.exe
1156	RdrCEF.exe
1300	RdrCEF.exe
416	RdrCEF.exe
3680	RdrCEF.exe
1936	RdrCEF.exe
3692	AcroRd32.exe
2124	DPInst.exe
1484	VCDS.exe
1484	VCDS.exe
1484	VCDS.exe
2228	VCDS.EXE
2228	VCDS.EXE
3692	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2620 wrote to memory of 2648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 2648	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 792	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1016	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1016	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe
PID 2620 wrote to memory of 1552	2620	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dltemp.ross-tech.com/VCDS/download/O8934p/VCDS-Release-21.9.0-Installer.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb36be4f50,0x7ffb36be4f60,0x7ffb36be4f70
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1904 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:2
2⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:8
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
2⤵
PID:480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4108 /prefetch:8
2⤵
PID:328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4184 /prefetch:8
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5264 /prefetch:8
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
2⤵
PID:328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,7656995315998897425,15306212213182496125,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:4024

C:\Users\Admin\Downloads\VCDS-Release-21.9.0-Installer.exe
"C:\Users\Admin\Downloads\VCDS-Release-21.9.0-Installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Installation-Instructions.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40013852A88534221F324842F23B9F73 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0CC009504E014B40CB957BC3D259AF19 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0CC009504E014B40CB957BC3D259AF19 --renderer-client-id=2 --mojo-platform-channel-handle=1672 --allow-no-sandbox-job /prefetch:1
5⤵
PID:2192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2A58239FBCFBB8891D6BA210BEF62681 --mojo-platform-channel-handle=2256 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:416

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=443BF3BEB54E99D7439033C0A4A7C899 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=443BF3BEB54E99D7439033C0A4A7C899 --renderer-client-id=5 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job /prefetch:1
5⤵
PID:3972

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=85D6814594A27BD6F37F04E5FB9C1A58 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5E0B4F28E2E0CBE5C7AB69493401CBC3 --mojo-platform-channel-handle=1880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Ross-Tech\VCDS\DPInst.exe
"C:\Ross-Tech\VCDS\DPInst.exe" /f
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Ross-Tech\VCDS\VCDS.exe
"C:\Ross-Tech\VCDS\VCDS.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{63ad7519-c765-5246-b21f-a397be5808b6}\hexnet.inf" "9" "4b027259f" "0000000000000164" "WinSta0\Default" "0000000000000174" "208" "c:\ross-tech\vcds"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:568

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{e8c7e22d-2481-dc4e-81d0-e2d3a3816c4c} Global\{9a53ece1-6008-6e49-af6c-fdfe1c1f4a47} C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\hexnet.inf C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\HEXNET.cat
3⤵
PID:1948

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{46b34126-ae72-fc48-9c7c-5e0473fcbcd8}\rt-usb64.inf" "9" "4fcbb46e7" "000000000000017C" "WinSta0\Default" "0000000000000178" "208" "c:\ross-tech\vcds"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2588

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{fc5c46b4-8448-004b-80b2-c20c86e76e3f} Global\{71b3b5d4-849e-b840-9915-6cb65962ba31} C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\rt-usb64.inf C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\RT-USB64.cat
3⤵
PID:1180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3492

C:\Ross-Tech\VCDS\VCDS.EXE
"C:\Ross-Tech\VCDS\VCDS.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Ross-Tech\VCDS\DPInst.EXE
MD5
b368feace16f83eec0565afa8462eef9

SHA1
f6a3c3f91df6b88441b711b8017dc7b8165d60cc

SHA256
9abb993585a69136576dae7eea8745bb30c8440aa333e0b81c0ec77695307473

SHA512
84c484ecd49e13007b71f2908b7aa8799785c22bda04ce4dae826a8f9f00e24c4dd0fc261ad8bf4bb6538000ed424c828bf5322efc1101e24466871378681a97

Download Submit
C:\Ross-Tech\VCDS\DPInst.exe
MD5
b368feace16f83eec0565afa8462eef9

SHA1
f6a3c3f91df6b88441b711b8017dc7b8165d60cc

SHA256
9abb993585a69136576dae7eea8745bb30c8440aa333e0b81c0ec77695307473

SHA512
84c484ecd49e13007b71f2908b7aa8799785c22bda04ce4dae826a8f9f00e24c4dd0fc261ad8bf4bb6538000ed424c828bf5322efc1101e24466871378681a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation-Instructions.pdf
MD5
a387496d109e9ce54cbfe1556b5757d6

SHA1
6d1cb8941f5ee3ed425955f5246f08f0addd55ce

SHA256
4971b142390d7e34030921fb035cebe6d132001ec6bb97f8d1089293d7fa1f3f

SHA512
997f06c122f5c63a53952ff5cdbeb53c8a5bd5f8fa45d2f617120e563007a0960a9f5cf687bd9dcc44de1ed58c59f85b4b414902582ef90039fd000408e1276d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{46B34~1\RT-USB.DLL
MD5
9df64e7edb3b70410d80008c916a9322

SHA1
48d19590e571f078f3a28564937d3f68ed09be21

SHA256
5a42313f5b7e4380e1a7b0fb8d1abc97f9321ce383c2cade85199892c550a9eb

SHA512
614e034648753860fe5a6b68e3d29533c965967fb94bb9b266dba3df77b24bfe133844baa75c6b135888159250eac36f741053905ce03ab15d682df4fb775a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{46B34~1\RT-USB64.SYS
MD5
2d16360308c99fcbc0b97d7930d1b4e0

SHA1
b1730716630a0c68517e3481e7fbf0d28f88d0ee

SHA256
e252f42a7d93c774813e2de8a17c29a74f1901a223ddb925423cb64d31e197dd

SHA512
f20d0ca0f339af264f68301a2f77e5d959343afe8c31793edd190e25016cd616ffeff7f10e824b5f287b32a9b4c48d301b16bd34e8c3217ece3ac4286ea5e4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{46B34~1\RT-USB64.cat
MD5
a43f337f78211c8da106a37f45fb099d

SHA1
297ec5c3063999140699b144ccf03ded2050b576

SHA256
1c88f69cd770b02f037a74fcb531c8e4547b7725ba98aae4e563ca4e0a17582c

SHA512
2f20a35eccfc746ad82a9135f87c87845788bf4032d1347a946cfc98424192a3431d844837c6a54c9a283cb6db11ecb20d37e33d2828a9f4c53d1e9438380138

Download Submit
C:\Users\Admin\AppData\Local\Temp\{46b34126-ae72-fc48-9c7c-5e0473fcbcd8}\rt-usb64.inf
MD5
7c6231227d356aed4ecaa06b4da9322d

SHA1
88b02c4bd09aa7910c55c4e74be8f036244b5cf9

SHA256
b31276e1af141846c2bc9be0f9ea64b7dcc67f8dc169cee775de4707d80ede63

SHA512
8440898bd3eb2c916c06cb5ab8e205d3b4a5896e8bf0429085459ebe353e1a9f7969afb09ee434d1ccc8c321e9d1b16e887d45a98b012159d8dfd7c1a7c29ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{63AD7~1\HEXNET.cat
MD5
57d1005de863e19aa8f45d3fb85c58e9

SHA1
436e5f09ac7e58346f9cc53c46c3203ff033095d

SHA256
416b6a11780ce0abb9d78d08b2f67acf4b74d5e6b2c7217bd1e7eef11c687ca2

SHA512
016ac19435d450d4060ac5834122d528d141e38a55fa7205d6b8642f2c7d70b4198c0ae819e78607b890752c2bff62c99314365527a67859f153b9a8bdd6f7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{63ad7519-c765-5246-b21f-a397be5808b6}\hexnet.inf
MD5
fadff1d7351530e6fd4463965c3b3580

SHA1
3a9b09bbd4f12a76fbbd3a428729660930ba5f13

SHA256
490ff7b30290524a225e72b8cd9b2a7f6f93812c9b088efc31e3817defdeb284

SHA512
b47d5eaacd85b4e2dc3ea87c33dd915431780daaaf8e784e89602583daa6a5fbf2423202bd706eac7410d6c0a5fcd3a6bee15f6dbcc57880d0bac7c9699a1094

Download Submit
C:\Users\Admin\Downloads\VCDS-Release-21.9.0-Installer.exe
MD5
fe67a1d0a66f99023f5c4313769cbc57

SHA1
616f1ac485197215b460d73fcd72f7bb3a313a44

SHA256
02418f3b6586004d11d377a6a28504d3e44e2e0d3cf4e4019f56b635b4f06885

SHA512
e4d9a246a813f113d29d82d1c85c1a9adf30de62d87bd3d574d80e43dc9f25dac9f6d134ee0b905a2753a2c17fdfe29ef35df59621270b9041203799895d33af

Download Submit
C:\Users\Admin\Downloads\VCDS-Release-21.9.0-Installer.exe
MD5
fe67a1d0a66f99023f5c4313769cbc57

SHA1
616f1ac485197215b460d73fcd72f7bb3a313a44

SHA256
02418f3b6586004d11d377a6a28504d3e44e2e0d3cf4e4019f56b635b4f06885

SHA512
e4d9a246a813f113d29d82d1c85c1a9adf30de62d87bd3d574d80e43dc9f25dac9f6d134ee0b905a2753a2c17fdfe29ef35df59621270b9041203799895d33af

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt
MD5
053dccc8adb9bb71a07900030c66f241

SHA1
83213c7c616939d6ab7e2661174d0411d9fd85e5

SHA256
0adc02a1b58727330599da11a46ea787dc85baf0879d6274e5d7f07bcdf87a44

SHA512
8615b91f44d1da618e74becc745fe0f30367d11415c7e353e154661eff307291940ff0941fe7494d95f3d515c82764ddc6b4e04ea7316435cca1257f101c06fd

Download Submit
C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\HEXNET.cat
MD5
57d1005de863e19aa8f45d3fb85c58e9

SHA1
436e5f09ac7e58346f9cc53c46c3203ff033095d

SHA256
416b6a11780ce0abb9d78d08b2f67acf4b74d5e6b2c7217bd1e7eef11c687ca2

SHA512
016ac19435d450d4060ac5834122d528d141e38a55fa7205d6b8642f2c7d70b4198c0ae819e78607b890752c2bff62c99314365527a67859f153b9a8bdd6f7c8

Download Submit
C:\Windows\System32\DriverStore\Temp\{381b4da4-a71d-d34e-892d-a76dd2981e60}\hexnet.inf
MD5
fadff1d7351530e6fd4463965c3b3580

SHA1
3a9b09bbd4f12a76fbbd3a428729660930ba5f13

SHA256
490ff7b30290524a225e72b8cd9b2a7f6f93812c9b088efc31e3817defdeb284

SHA512
b47d5eaacd85b4e2dc3ea87c33dd915431780daaaf8e784e89602583daa6a5fbf2423202bd706eac7410d6c0a5fcd3a6bee15f6dbcc57880d0bac7c9699a1094

Download Submit
C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\RT-USB64.cat
MD5
a43f337f78211c8da106a37f45fb099d

SHA1
297ec5c3063999140699b144ccf03ded2050b576

SHA256
1c88f69cd770b02f037a74fcb531c8e4547b7725ba98aae4e563ca4e0a17582c

SHA512
2f20a35eccfc746ad82a9135f87c87845788bf4032d1347a946cfc98424192a3431d844837c6a54c9a283cb6db11ecb20d37e33d2828a9f4c53d1e9438380138

Download Submit
C:\Windows\System32\DriverStore\Temp\{f01bd5dc-efbb-0d46-bde2-2e92b22c7aa4}\rt-usb64.inf
MD5
7c6231227d356aed4ecaa06b4da9322d

SHA1
88b02c4bd09aa7910c55c4e74be8f036244b5cf9

SHA256
b31276e1af141846c2bc9be0f9ea64b7dcc67f8dc169cee775de4707d80ede63

SHA512
8440898bd3eb2c916c06cb5ab8e205d3b4a5896e8bf0429085459ebe353e1a9f7969afb09ee434d1ccc8c321e9d1b16e887d45a98b012159d8dfd7c1a7c29ca3

Download Submit
\??\c:\ROSS-T~1\vcds\HEXNET.cat
MD5
57d1005de863e19aa8f45d3fb85c58e9

SHA1
436e5f09ac7e58346f9cc53c46c3203ff033095d

SHA256
416b6a11780ce0abb9d78d08b2f67acf4b74d5e6b2c7217bd1e7eef11c687ca2

SHA512
016ac19435d450d4060ac5834122d528d141e38a55fa7205d6b8642f2c7d70b4198c0ae819e78607b890752c2bff62c99314365527a67859f153b9a8bdd6f7c8

Download Submit
\??\c:\ROSS-T~1\vcds\RT-USB.DLL
MD5
9df64e7edb3b70410d80008c916a9322

SHA1
48d19590e571f078f3a28564937d3f68ed09be21

SHA256
5a42313f5b7e4380e1a7b0fb8d1abc97f9321ce383c2cade85199892c550a9eb

SHA512
614e034648753860fe5a6b68e3d29533c965967fb94bb9b266dba3df77b24bfe133844baa75c6b135888159250eac36f741053905ce03ab15d682df4fb775a5f

Download Submit
\??\c:\ROSS-T~1\vcds\RT-USB64.SYS
MD5
2d16360308c99fcbc0b97d7930d1b4e0

SHA1
b1730716630a0c68517e3481e7fbf0d28f88d0ee

SHA256
e252f42a7d93c774813e2de8a17c29a74f1901a223ddb925423cb64d31e197dd

SHA512
f20d0ca0f339af264f68301a2f77e5d959343afe8c31793edd190e25016cd616ffeff7f10e824b5f287b32a9b4c48d301b16bd34e8c3217ece3ac4286ea5e4f3

Download Submit
\??\c:\ROSS-T~1\vcds\RT-USB64.cat
MD5
a43f337f78211c8da106a37f45fb099d

SHA1
297ec5c3063999140699b144ccf03ded2050b576

SHA256
1c88f69cd770b02f037a74fcb531c8e4547b7725ba98aae4e563ca4e0a17582c

SHA512
2f20a35eccfc746ad82a9135f87c87845788bf4032d1347a946cfc98424192a3431d844837c6a54c9a283cb6db11ecb20d37e33d2828a9f4c53d1e9438380138

Download Submit
\??\c:\ross-tech\vcds\hexnet.inf
MD5
fadff1d7351530e6fd4463965c3b3580

SHA1
3a9b09bbd4f12a76fbbd3a428729660930ba5f13

SHA256
490ff7b30290524a225e72b8cd9b2a7f6f93812c9b088efc31e3817defdeb284

SHA512
b47d5eaacd85b4e2dc3ea87c33dd915431780daaaf8e784e89602583daa6a5fbf2423202bd706eac7410d6c0a5fcd3a6bee15f6dbcc57880d0bac7c9699a1094

Download Submit
\??\c:\ross-tech\vcds\rt-usb64.inf
MD5
7c6231227d356aed4ecaa06b4da9322d

SHA1
88b02c4bd09aa7910c55c4e74be8f036244b5cf9

SHA256
b31276e1af141846c2bc9be0f9ea64b7dcc67f8dc169cee775de4707d80ede63

SHA512
8440898bd3eb2c916c06cb5ab8e205d3b4a5896e8bf0429085459ebe353e1a9f7969afb09ee434d1ccc8c321e9d1b16e887d45a98b012159d8dfd7c1a7c29ca3

Download Submit
\??\pipe\crashpad_2620_BSXQLNQPTQCPEQIL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\InstallOptions.dll
MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\InstallOptions.dll
MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\System.dll
MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\liteFirewall.dll
MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\liteFirewall.dll
MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\liteFirewall.dll
MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\liteFirewall.dll
MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\liteFirewall.dll
MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
\Users\Admin\AppData\Local\Temp\nsu8D4A.tmp\liteFirewall.dll
MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
memory/416-135-0x00000000007B2000-0x00000000007B3000-memory.dmp

Filesize
4KB

Download
memory/416-136-0x0000000000000000-mapping.dmp

Download
memory/416-134-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/568-163-0x0000000000000000-mapping.dmp

Download
memory/1156-123-0x0000000000000000-mapping.dmp

Download
memory/1180-179-0x0000000000000000-mapping.dmp

Download
memory/1300-128-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1300-126-0x0000000000000000-mapping.dmp

Download
memory/1300-125-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1300-124-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/1484-193-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-204-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-218-0x00007FFB44550000-0x00007FFB44560000-memory.dmp

Filesize
64KB

Download
memory/1484-217-0x00007FFAC4550000-0x00007FFAC4560000-memory.dmp

Filesize
64KB

Download
memory/1484-215-0x0000000140000000-0x000000014BEDE000-memory.dmp

Filesize
190.9MB

Download
memory/1484-216-0x00007FFB44410000-0x00007FFB44420000-memory.dmp

Filesize
64KB

Download
memory/1484-214-0x0000000140000000-0x000000014BEDE000-memory.dmp

Filesize
190.9MB

Download
memory/1484-213-0x0000000140000000-0x000000014BEDE000-memory.dmp

Filesize
190.9MB

Download
memory/1484-211-0x0000000140000000-0x000000014BEDE000-memory.dmp

Filesize
190.9MB

Download
memory/1484-212-0x00007FF5FFAF0000-0x00007FF5FFEC1000-memory.dmp

Filesize
3.8MB

Download
memory/1484-210-0x00007FFB44340000-0x00007FFB44350000-memory.dmp

Filesize
64KB

Download
memory/1484-209-0x00007FFB44340000-0x00007FFB44350000-memory.dmp

Filesize
64KB

Download
memory/1484-203-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-208-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-207-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-205-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-206-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-201-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-202-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-182-0x0000000000000000-mapping.dmp

Download
memory/1484-184-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-185-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-183-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-186-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-187-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-189-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-190-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-188-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-191-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-192-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-200-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-195-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-196-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-194-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-197-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-198-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1484-199-0x00007FFB442E0000-0x00007FFB442F0000-memory.dmp

Filesize
64KB

Download
memory/1936-148-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/1936-150-0x0000000000000000-mapping.dmp

Download
memory/1936-149-0x0000000000B5F000-0x0000000000B60000-memory.dmp

Filesize
4KB

Download
memory/1948-166-0x0000000000000000-mapping.dmp

Download
memory/2124-158-0x0000000000000000-mapping.dmp

Download
memory/2192-127-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/2192-129-0x0000000000F3D000-0x0000000000F3E000-memory.dmp

Filesize
4KB

Download
memory/2192-130-0x0000000000000000-mapping.dmp

Download
memory/2192-132-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2192-133-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2588-174-0x0000000000000000-mapping.dmp

Download
memory/3680-144-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/3680-145-0x0000000000D35000-0x0000000000D36000-memory.dmp

Filesize
4KB

Download
memory/3680-146-0x0000000000000000-mapping.dmp

Download
memory/3692-118-0x0000000000000000-mapping.dmp

Download
memory/3972-140-0x0000000000000000-mapping.dmp

Download
memory/3972-139-0x0000000000D57000-0x0000000000D58000-memory.dmp

Filesize
4KB

Download
memory/3972-137-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/3980-115-0x0000000000000000-mapping.dmp

Download