c0f41b2cecb2fdeb5e93067d74a26a094d0530d4d0afe629815c24b20abb9038

Analysis

max time kernel
104s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2023, 17:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe
Size

3.4MB
MD5

28fd0542d662e032b3ebc5901a902c4f
SHA1

be50a5b42726a6ab3e38fa23fe852a533b6f2173
SHA256

c0f41b2cecb2fdeb5e93067d74a26a094d0530d4d0afe629815c24b20abb9038
SHA512

d94cfc9cfd0163698a2062c5198d83e9b15e8b5e69b472f8dea08fe0a79853f2fc11dd0054f64cbc8d791d6240f2c7689d16b2a823568d65519756fd2dfe4c7c
SSDEEP

49152:wQVxJGpHftJyUcrmKfRl9ybQ24bVTnD912x6G9A9pJzy+F85RWI/N4eefNmMpMqX:wiJylWxRyAVH2MP9TzylfWIWRuWDvb

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\DBUtilDrv2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\DBUtilDrv2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\DBUtilDrv2.sys	DrvInst.exe

Executes dropped EXE 5 IoCs

pid	Process
5072	C9632CF058AE4321B6B0B5EA39B710FE
3768	C9632CF058AE4321B6B0B5EA39B710FE
1420	C9632CF058AE4321B6B0B5EA39B710FE
3636	C9632CF058AE4321B6B0B5EA39B710FE
520	C9632CF058AE4321B6B0B5EA39B710FE

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\DBUtilDrv2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\DBUtilDrv2.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET6691.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET66D0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET738F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\DBUtilDrv2.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET667F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET66D0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET739F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET73FE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET740F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET6690.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET6690.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET738F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\dbutildrv2.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\DBUtilDrv2.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\dbutildrv2.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET73FE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET739F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.PNF	C9632CF058AE4321B6B0B5EA39B710FE
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7a36d7ab-273d-d347-a74e-9ffe7f78fbb6}\SET740F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET6691.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.PNF	C9632CF058AE4321B6B0B5EA39B710FE
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b28e5d7f-be66-694f-8a15-35a72c8c1c65}\SET667F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.PNF	C9632CF058AE4321B6B0B5EA39B710FE

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	C9632CF058AE4321B6B0B5EA39B710FE
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	C9632CF058AE4321B6B0B5EA39B710FE
File opened for modification	C:\Windows\inf\oem2.pnf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	C9632CF058AE4321B6B0B5EA39B710FE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	C9632CF058AE4321B6B0B5EA39B710FE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	C9632CF058AE4321B6B0B5EA39B710FE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	C9632CF058AE4321B6B0B5EA39B710FE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeAuditPrivilege	1532	svchost.exe
Token: SeSecurityPrivilege	1532	svchost.exe
Token: SeLoadDriverPrivilege	3768	C9632CF058AE4321B6B0B5EA39B710FE
Token: SeRestorePrivilege	112	DrvInst.exe
Token: SeBackupPrivilege	112	DrvInst.exe
Token: SeRestorePrivilege	112	DrvInst.exe
Token: SeBackupPrivilege	112	DrvInst.exe
Token: SeLoadDriverPrivilege	112	DrvInst.exe
Token: SeLoadDriverPrivilege	112	DrvInst.exe
Token: SeLoadDriverPrivilege	112	DrvInst.exe
Token: SeLoadDriverPrivilege	1420	C9632CF058AE4321B6B0B5EA39B710FE
Token: SeLoadDriverPrivilege	1420	C9632CF058AE4321B6B0B5EA39B710FE
Token: SeRestorePrivilege	3716	DrvInst.exe
Token: SeBackupPrivilege	3716	DrvInst.exe
Token: SeRestorePrivilege	3716	DrvInst.exe
Token: SeBackupPrivilege	3716	DrvInst.exe
Token: SeLoadDriverPrivilege	520	C9632CF058AE4321B6B0B5EA39B710FE
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeBackupPrivilege	1432	DrvInst.exe
Token: SeRestorePrivilege	1432	DrvInst.exe
Token: SeBackupPrivilege	1432	DrvInst.exe
Token: SeLoadDriverPrivilege	1432	DrvInst.exe
Token: SeLoadDriverPrivilege	1432	DrvInst.exe
Token: SeLoadDriverPrivilege	1432	DrvInst.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 5072	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	78
PID 2564 wrote to memory of 5072	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	78
PID 2564 wrote to memory of 3768	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	79
PID 2564 wrote to memory of 3768	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	79
PID 1532 wrote to memory of 728	1532	svchost.exe	81
PID 1532 wrote to memory of 728	1532	svchost.exe	81
PID 1532 wrote to memory of 112	1532	svchost.exe	82
PID 1532 wrote to memory of 112	1532	svchost.exe	82
PID 2564 wrote to memory of 1420	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	84
PID 2564 wrote to memory of 1420	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	84
PID 1532 wrote to memory of 3716	1532	svchost.exe	85
PID 1532 wrote to memory of 3716	1532	svchost.exe	85
PID 2564 wrote to memory of 3636	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	86
PID 2564 wrote to memory of 3636	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	86
PID 2564 wrote to memory of 520	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	87
PID 2564 wrote to memory of 520	2564	C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe	87
PID 1532 wrote to memory of 3100	1532	svchost.exe	88
PID 1532 wrote to memory of 3100	1532	svchost.exe	88
PID 1532 wrote to memory of 1432	1532	svchost.exe	89
PID 1532 wrote to memory of 1432	1532	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe
"C:\Users\Admin\AppData\Local\Temp\C0F41B2CECB2FDEB5E93067D74A26A094D0530D4D0AFE629815C24B20ABB9038.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
  C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE F
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
  C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE C:\Users\Admin\AppData\Local\Temp\DBUtil_Driver\DBUtilDrv2.inf
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
  C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE U
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
  C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE F
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE
  C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE C:\Users\Admin\AppData\Local\Temp\DBUtil_Driver\DBUtilDrv2.inf
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{296b375e-13f6-9b40-8801-6d4dc3afbb3c}\dbutildrv2.inf" "9" "4d84ffb57" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "c:\users\admin\appdata\local\temp\dbutil_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:728
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\DELLUTILS\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:c14ce884ace7bd5f:DBUtilDrv2_Device:2.7.0.0:root\dbutildrv2," "4d84ffb57" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.inf" "0" "41cd3a117" "0000000000000100" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c0c19522-f9a1-2540-babb-b9a19480ea54}\dbutildrv2.inf" "9" "4d84ffb57" "0000000000000100" "WinSta0\Default" "000000000000014C" "208" "c:\users\admin\appdata\local\temp\dbutil_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3100
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\DELLUTILS\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:c14ce884ace7bd5f:DBUtilDrv2_Device:2.7.0.0:root\dbutildrv2," "4d84ffb57" "0000000000000100"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DBUtil_Driver\DBUtilDrv2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBUtil_Driver\DBUtilDrv2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE

Filesize
108KB

MD5
94758f0d75bc41190b05ee25ba565fb9

SHA1
f1c876dcb8f330b976cf31be47f9d510fd76e2d8

SHA256
cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc

SHA512
ee5c16ca0b71be718df177aa6cfdebf65f5a6d818f11ca70fce6a036f9fc8d855af4117a6d5e447456b7d849488b6a5ec2aaa6dd094ec61d59829e942e193757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE

Filesize
108KB

MD5
94758f0d75bc41190b05ee25ba565fb9

SHA1
f1c876dcb8f330b976cf31be47f9d510fd76e2d8

SHA256
cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc

SHA512
ee5c16ca0b71be718df177aa6cfdebf65f5a6d818f11ca70fce6a036f9fc8d855af4117a6d5e447456b7d849488b6a5ec2aaa6dd094ec61d59829e942e193757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE

Filesize
108KB

MD5
94758f0d75bc41190b05ee25ba565fb9

SHA1
f1c876dcb8f330b976cf31be47f9d510fd76e2d8

SHA256
cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc

SHA512
ee5c16ca0b71be718df177aa6cfdebf65f5a6d818f11ca70fce6a036f9fc8d855af4117a6d5e447456b7d849488b6a5ec2aaa6dd094ec61d59829e942e193757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE

Filesize
108KB

MD5
94758f0d75bc41190b05ee25ba565fb9

SHA1
f1c876dcb8f330b976cf31be47f9d510fd76e2d8

SHA256
cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc

SHA512
ee5c16ca0b71be718df177aa6cfdebf65f5a6d818f11ca70fce6a036f9fc8d855af4117a6d5e447456b7d849488b6a5ec2aaa6dd094ec61d59829e942e193757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE

Filesize
108KB

MD5
94758f0d75bc41190b05ee25ba565fb9

SHA1
f1c876dcb8f330b976cf31be47f9d510fd76e2d8

SHA256
cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc

SHA512
ee5c16ca0b71be718df177aa6cfdebf65f5a6d818f11ca70fce6a036f9fc8d855af4117a6d5e447456b7d849488b6a5ec2aaa6dd094ec61d59829e942e193757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper\C9632CF058AE4321B6B0B5EA39B710FE

Filesize
108KB

MD5
94758f0d75bc41190b05ee25ba565fb9

SHA1
f1c876dcb8f330b976cf31be47f9d510fd76e2d8

SHA256
cd2688a74a151b03282388dadb8b6aaca309f2535c8b2b21d1243846d2b259dc

SHA512
ee5c16ca0b71be718df177aa6cfdebf65f5a6d818f11ca70fce6a036f9fc8d855af4117a6d5e447456b7d849488b6a5ec2aaa6dd094ec61d59829e942e193757

Download Submit
C:\Users\Admin\AppData\Local\Temp\{296B3~1\DBUtilDrv2.cat

Filesize
10KB

MD5
de39ee41d03c97e37849af90e408abbe

SHA1
06f2b629e7303ac1254b52ec0560c34d72b46155

SHA256
c77c24e945acc73d6b723f60bcdc0330ff501eea34b7da95061101dd1120392a

SHA512
f30f8b8317592f12d3198bed3204b7f5a5a7340dfc9a7370c19cca6492171818a6de08a24d877a5c5e75b82ccfbb3ba830c27d1b724f12389144b0fb20c4699f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{296B3~1\DBUtilDrv2.sys

Filesize
24KB

MD5
d104621c93213942b7b43d65b5d8d33e

SHA1
b03b1996a40bfea72e4584b82f6b845c503a9748

SHA256
71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009

SHA512
4fba2a50b89ef203e0e37ea2a4d6722c6fdce2b11fee9c3df6f335e2a51019431f13695106ba5fbbd9c28c8be0c92626622974770c08b3cd2b0c5e3fa8086d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\{296B3~1\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
290464641660ea5cfdda076ce6da27c6

SHA1
c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

SHA256
3b9264416a78f5eab2812cd46b14f993815e9dbf5bd145b3876c2f0f93b98521

SHA512
5b07ad84dfda0b5beba39f6878f402dac12c70872d403b11cc8c23415d655a1a34d07fba43916031faf21421c17d541573fe9ddb178b021b1e19ebac5afbabcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{296b375e-13f6-9b40-8801-6d4dc3afbb3c}\dbutildrv2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0C19~1\DBUtilDrv2.cat

Filesize
10KB

MD5
de39ee41d03c97e37849af90e408abbe

SHA1
06f2b629e7303ac1254b52ec0560c34d72b46155

SHA256
c77c24e945acc73d6b723f60bcdc0330ff501eea34b7da95061101dd1120392a

SHA512
f30f8b8317592f12d3198bed3204b7f5a5a7340dfc9a7370c19cca6492171818a6de08a24d877a5c5e75b82ccfbb3ba830c27d1b724f12389144b0fb20c4699f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0C19~1\DBUtilDrv2.sys

Filesize
24KB

MD5
d104621c93213942b7b43d65b5d8d33e

SHA1
b03b1996a40bfea72e4584b82f6b845c503a9748

SHA256
71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009

SHA512
4fba2a50b89ef203e0e37ea2a4d6722c6fdce2b11fee9c3df6f335e2a51019431f13695106ba5fbbd9c28c8be0c92626622974770c08b3cd2b0c5e3fa8086d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0C19~1\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
290464641660ea5cfdda076ce6da27c6

SHA1
c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

SHA256
3b9264416a78f5eab2812cd46b14f993815e9dbf5bd145b3876c2f0f93b98521

SHA512
5b07ad84dfda0b5beba39f6878f402dac12c70872d403b11cc8c23415d655a1a34d07fba43916031faf21421c17d541573fe9ddb178b021b1e19ebac5afbabcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{c0c19522-f9a1-2540-babb-b9a19480ea54}\dbutildrv2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Windows\INF\oem2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Windows\INF\oem2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
146KB

MD5
58e3f1497621162cd2f6dc957a71e9ae

SHA1
87c2808ba7054e20baf146f4c481dc746659478c

SHA256
54cc6b2804e1c6054f8bf4f21079274fa7f83461249c2923cb223c6b3f2c8088

SHA512
dc489b69fa0fbe31b68e59e5aa13962773a567f1a4962e90ff3a91fd6995ffc84621cf9bea7411d002571baa1890cbce3b9bf715a9753cbf1f2809e5d55c129e

Download Submit
C:\Windows\System32\DriverStore\FileRepository\DBUTIL~1.INF\DBUtilDrv2.sys

Filesize
24KB

MD5
d104621c93213942b7b43d65b5d8d33e

SHA1
b03b1996a40bfea72e4584b82f6b845c503a9748

SHA256
71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009

SHA512
4fba2a50b89ef203e0e37ea2a4d6722c6fdce2b11fee9c3df6f335e2a51019431f13695106ba5fbbd9c28c8be0c92626622974770c08b3cd2b0c5e3fa8086d53

Download Submit
C:\Windows\System32\DriverStore\FileRepository\DBUTIL~1.INF\DBUtilDrv2.sys

Filesize
24KB

MD5
d104621c93213942b7b43d65b5d8d33e

SHA1
b03b1996a40bfea72e4584b82f6b845c503a9748

SHA256
71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009

SHA512
4fba2a50b89ef203e0e37ea2a4d6722c6fdce2b11fee9c3df6f335e2a51019431f13695106ba5fbbd9c28c8be0c92626622974770c08b3cd2b0c5e3fa8086d53

Download Submit
C:\Windows\System32\DriverStore\FileRepository\DBUTIL~1.INF\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
290464641660ea5cfdda076ce6da27c6

SHA1
c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

SHA256
3b9264416a78f5eab2812cd46b14f993815e9dbf5bd145b3876c2f0f93b98521

SHA512
5b07ad84dfda0b5beba39f6878f402dac12c70872d403b11cc8c23415d655a1a34d07fba43916031faf21421c17d541573fe9ddb178b021b1e19ebac5afbabcd

Download Submit
C:\Windows\System32\DriverStore\FileRepository\DBUTIL~1.INF\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
290464641660ea5cfdda076ce6da27c6

SHA1
c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

SHA256
3b9264416a78f5eab2812cd46b14f993815e9dbf5bd145b3876c2f0f93b98521

SHA512
5b07ad84dfda0b5beba39f6878f402dac12c70872d403b11cc8c23415d655a1a34d07fba43916031faf21421c17d541573fe9ddb178b021b1e19ebac5afbabcd

Download Submit
C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\DBUtilDrv2.cat

Filesize
10KB

MD5
de39ee41d03c97e37849af90e408abbe

SHA1
06f2b629e7303ac1254b52ec0560c34d72b46155

SHA256
c77c24e945acc73d6b723f60bcdc0330ff501eea34b7da95061101dd1120392a

SHA512
f30f8b8317592f12d3198bed3204b7f5a5a7340dfc9a7370c19cca6492171818a6de08a24d877a5c5e75b82ccfbb3ba830c27d1b724f12389144b0fb20c4699f

Download Submit
C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
C:\Windows\System32\DriverStore\FileRepository\dbutildrv2.inf_amd64_7abc468ebf353252\dbutildrv2.inf

Filesize
2KB

MD5
b87944dcc444e4c6ce9bb9fb8a9c0def

SHA1
19f8da3fe9ddbc067e3715d15aed7a6530732ab5

SHA256
56ed7ff7299c83b307282ce8d1def51d72a3663249e72a32c09f6264348b1da2

SHA512
bc220967122965335a722899f0995d651b104000d4ad604da8db50df023cbe1637c04fec42bc52e047547f5acd8b9348ef6ae4013378bb4a534aeb62787e154b

Download Submit
\??\c:\users\admin\appdata\local\temp\DBUTIL~1\DBUtilDrv2.sys

Filesize
24KB

MD5
d104621c93213942b7b43d65b5d8d33e

SHA1
b03b1996a40bfea72e4584b82f6b845c503a9748

SHA256
71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009

SHA512
4fba2a50b89ef203e0e37ea2a4d6722c6fdce2b11fee9c3df6f335e2a51019431f13695106ba5fbbd9c28c8be0c92626622974770c08b3cd2b0c5e3fa8086d53

Download Submit
\??\c:\users\admin\appdata\local\temp\DBUTIL~1\DBUtilDrv2.sys

Filesize
24KB

MD5
d104621c93213942b7b43d65b5d8d33e

SHA1
b03b1996a40bfea72e4584b82f6b845c503a9748

SHA256
71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009

SHA512
4fba2a50b89ef203e0e37ea2a4d6722c6fdce2b11fee9c3df6f335e2a51019431f13695106ba5fbbd9c28c8be0c92626622974770c08b3cd2b0c5e3fa8086d53

Download Submit
\??\c:\users\admin\appdata\local\temp\DBUTIL~1\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
290464641660ea5cfdda076ce6da27c6

SHA1
c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

SHA256
3b9264416a78f5eab2812cd46b14f993815e9dbf5bd145b3876c2f0f93b98521

SHA512
5b07ad84dfda0b5beba39f6878f402dac12c70872d403b11cc8c23415d655a1a34d07fba43916031faf21421c17d541573fe9ddb178b021b1e19ebac5afbabcd

Download Submit
\??\c:\users\admin\appdata\local\temp\DBUTIL~1\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
290464641660ea5cfdda076ce6da27c6

SHA1
c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b

SHA256
3b9264416a78f5eab2812cd46b14f993815e9dbf5bd145b3876c2f0f93b98521

SHA512
5b07ad84dfda0b5beba39f6878f402dac12c70872d403b11cc8c23415d655a1a34d07fba43916031faf21421c17d541573fe9ddb178b021b1e19ebac5afbabcd

Download Submit
\??\c:\users\admin\appdata\local\temp\dbutil_driver\DBUtilDrv2.cat

Filesize
10KB

MD5
de39ee41d03c97e37849af90e408abbe

SHA1
06f2b629e7303ac1254b52ec0560c34d72b46155

SHA256
c77c24e945acc73d6b723f60bcdc0330ff501eea34b7da95061101dd1120392a

SHA512
f30f8b8317592f12d3198bed3204b7f5a5a7340dfc9a7370c19cca6492171818a6de08a24d877a5c5e75b82ccfbb3ba830c27d1b724f12389144b0fb20c4699f

Download Submit
\??\c:\users\admin\appdata\local\temp\dbutil_driver\DBUtilDrv2.cat

Filesize
10KB

MD5
de39ee41d03c97e37849af90e408abbe

SHA1
06f2b629e7303ac1254b52ec0560c34d72b46155

SHA256
c77c24e945acc73d6b723f60bcdc0330ff501eea34b7da95061101dd1120392a

SHA512
f30f8b8317592f12d3198bed3204b7f5a5a7340dfc9a7370c19cca6492171818a6de08a24d877a5c5e75b82ccfbb3ba830c27d1b724f12389144b0fb20c4699f

Download Submit