ff9c244cef030284f53f8fcd718410956061d095c562281b7b597af594d0909f

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BetterVjoy/! Driver Install (Run as Admin).bat
Size

810B
MD5

209db6a2db6ef71136e6a411b3e9187c
SHA1

eb4dc9ab2a16b63fc200d4ac218c3deb7224edad
SHA256

f8793e8cfb54bbb851e46179d34e0b953f8b044313e90fc8966f106f802cf134
SHA512

649f56412061863c72f0d122c8617c82e49752029c91fc1b690350a18df68af3fe16044364325df900ab84a9ff539becd9384e7ec6cf2aafa37c172067221766

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETEFCC.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETEFCC.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\HidGuardian.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETA7D4.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETA7D4.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\ViGEmBus.sys	DrvInst.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HidCerberus.Srv\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BetterVjoy\\Drivers\\HidCerberus.Srv\\HidCerberus.Srv.exe\" -displayname \"HidCerberus Service\" -servicename \"HidCerberus.Srv\""	HidCerberus.Srv.exe

Loads dropped DLL 10 IoCs

pid	Process
2040	DrvInst.exe
2040	DrvInst.exe
1964	devcon.exe
1964	devcon.exe
660	DrvInst.exe
660	DrvInst.exe
660	DrvInst.exe
660	DrvInst.exe
872	devcon.exe
872	devcon.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SETA8DF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\HidGuardian.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET125A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5E9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\SETF059.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_neutral_b1c1565bbc39cfc3\vigembus.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\ViGEmBus.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET118E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB61A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_neutral_60308048514a1516\hidguardian.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET125B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET125A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB61A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_neutral_60308048514a1516\hidguardian.PNF	DrvInst.exe
File created	C:\Windows\system32\SETF059.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\vigembus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET126C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5FA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET125B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET118E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5FA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET126C.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\system32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\hidguardian.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\ViGEmBus.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_neutral_b1c1565bbc39cfc3\vigembus.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\HidGuardian.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}	DrvInst.exe
File created	C:\Windows\system32\SETA8DF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5E8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5E9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5E8.tmp	DrvInst.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\LastGood\TMPF052.tmp	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	HidCerberus.Srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1968	PING.EXE
1096	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
548	HidCerberus.Srv.exe
548	HidCerberus.Srv.exe
548	HidCerberus.Srv.exe
548	HidCerberus.Srv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeRestorePrivilege	684	rundll32.exe
Token: SeBackupPrivilege	1208	vssvc.exe
Token: SeRestorePrivilege	1208	vssvc.exe
Token: SeAuditPrivilege	1208	vssvc.exe
Token: SeBackupPrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	908	DrvInst.exe
Token: SeLoadDriverPrivilege	908	DrvInst.exe
Token: SeLoadDriverPrivilege	908	DrvInst.exe
Token: SeLoadDriverPrivilege	908	DrvInst.exe
Token: SeRestorePrivilege	1964	devcon.exe
Token: SeLoadDriverPrivilege	1964	devcon.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	872	devcon.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1756	1996	cmd.exe	29
PID 1996 wrote to memory of 1756	1996	cmd.exe	29
PID 1996 wrote to memory of 1756	1996	cmd.exe	29
PID 1996 wrote to memory of 1964	1996	cmd.exe	30
PID 1996 wrote to memory of 1964	1996	cmd.exe	30
PID 1996 wrote to memory of 1964	1996	cmd.exe	30
PID 1332 wrote to memory of 684	1332	DrvInst.exe	32
PID 1332 wrote to memory of 684	1332	DrvInst.exe	32
PID 1332 wrote to memory of 684	1332	DrvInst.exe	32
PID 1996 wrote to memory of 872	1996	cmd.exe	37
PID 1996 wrote to memory of 872	1996	cmd.exe	37
PID 1996 wrote to memory of 872	1996	cmd.exe	37
PID 1712 wrote to memory of 1960	1712	DrvInst.exe	39
PID 1712 wrote to memory of 1960	1712	DrvInst.exe	39
PID 1712 wrote to memory of 1960	1712	DrvInst.exe	39
PID 1996 wrote to memory of 1552	1996	cmd.exe	41
PID 1996 wrote to memory of 1552	1996	cmd.exe	41
PID 1996 wrote to memory of 1552	1996	cmd.exe	41
PID 1996 wrote to memory of 820	1996	cmd.exe	42
PID 1996 wrote to memory of 820	1996	cmd.exe	42
PID 1996 wrote to memory of 820	1996	cmd.exe	42
PID 1996 wrote to memory of 1968	1996	cmd.exe	43
PID 1996 wrote to memory of 1968	1996	cmd.exe	43
PID 1996 wrote to memory of 1968	1996	cmd.exe	43
PID 1996 wrote to memory of 1352	1996	cmd.exe	44
PID 1996 wrote to memory of 1352	1996	cmd.exe	44
PID 1996 wrote to memory of 1352	1996	cmd.exe	44
PID 1352 wrote to memory of 1504	1352	net.exe	45
PID 1352 wrote to memory of 1504	1352	net.exe	45
PID 1352 wrote to memory of 1504	1352	net.exe	45
PID 1996 wrote to memory of 1096	1996	cmd.exe	47
PID 1996 wrote to memory of 1096	1996	cmd.exe	47
PID 1996 wrote to memory of 1096	1996	cmd.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BetterVjoy\! Driver Install (Run as Admin).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\devcon.exe
  devcon.exe remove Root\ViGEmBus
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\devcon.exe
  devcon.exe install ViGEmDriver\ViGEmBus.inf Root\ViGEmBus
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\devcon.exe
  devcon.exe install .\HidGuardian\HidGuardian.inf Root\HidGuardian
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\devcon.exe
  devcon.exe classfilter HIDClass upper -HidGuardian
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\HidCerberus.Srv\HidCerberus.Srv.exe
  HidCerberus.Srv.exe install
  2⤵
  - Sets service image path in registry
  PID:820
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - Runs ping.exe
  PID:1968
- C:\Windows\system32\net.exe
  net start "HidCerberus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start "HidCerberus Service"
    3⤵
    PID:1504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - Runs ping.exe
  PID:1096

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{418999d0-b44e-026e-b7cc-f71527f7405d}\vigembus.inf" "9" "6eef320bb" "00000000000005A4" "WinSta0\Default" "0000000000000594" "208" "c:\users\admin\appdata\local\temp\bettervjoy\drivers\vigemdriver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{20b3ecf8-adb5-0a33-84c1-c92b60fc415b} Global\{7c480399-ef7a-6b58-2e47-1c2e1121b01c} C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\vigembus.inf C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\ViGEmBus.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "00000000000005C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem2.inf" "vigembus.inf:Standard.NTamd64:ViGEmBus_Device:1.14.3.0:root\vigembus" "6eef320bb" "00000000000002DC" "00000000000003B0" "00000000000005D0"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{463ac1fb-9512-0df5-707b-823576fe0421}\hidguardian.inf" "9" "6ca3f57bf" "0000000000000594" "WinSta0\Default" "00000000000002E0" "208" "c:\users\admin\appdata\local\temp\bettervjoy\drivers\hidguardian"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{73aac3ee-c06a-3f72-8b11-5a6b9fc21251} Global\{230559fe-15ab-785b-102e-0d1f3f97566c} C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\hidguardian.inf C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\HidGuardian.cat
  2⤵
  PID:1960

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\SYSTEM\0002" "C:\Windows\INF\oem3.inf" "hidguardian.inf:Standard.NTamd64:HidGuardian_Device:1.9.0.0:root\hidguardian" "6ca3f57bf" "0000000000000594" "00000000000005F0" "00000000000004B8"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:660

C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\HidCerberus.Srv\HidCerberus.Srv.exe
"C:\Users\Admin\AppData\Local\Temp\BetterVjoy\Drivers\HidCerberus.Srv\HidCerberus.Srv.exe" -displayname "HidCerberus Service" -servicename "HidCerberus.Srv"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEF2.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF04.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{418999d0-b44e-026e-b7cc-f71527f7405d}\ViGEmBus.cat

Filesize
11KB

MD5
166bdd14bcaf7d186297fdfb9fe0cdaa

SHA1
8782f724ad26e8061281db62f13ad903263371a2

SHA256
714b24e8d3a28a4935e699cdb1e9ff1da9421cc47cf7e412564d10939822724a

SHA512
f6e43d553b10ded73d763541f7cff3bb342d98b05815f4af0d0e404bd01ba845b732904eb604aa1b86daa3fbcde194af08d61d3da78e79041544f677e780faf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{418999d0-b44e-026e-b7cc-f71527f7405d}\vigembus.inf

Filesize
1KB

MD5
ff9b269a6447a6088a066d3942f79da1

SHA1
15ce52718e76ad99851b13de8b649d5276bdfd6f

SHA256
6e35df8b6d92964f5d37cd73a419f290260b81d3838ae439b96536f10033afb4

SHA512
89415ad9000df91d4f26c01cef31103c4eb7059485f75290aa24578138034a038fd4f1d6800cdcd865219b2e0b4008176f07b2886d959887d84bdd28d60eb6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{41899~1\ViGEmBus.sys

Filesize
51KB

MD5
743e5c7578f5109f2da691eb494ec442

SHA1
413c4c841ff0852e5e49e906f6703eefb9c82a0f

SHA256
e115bf3ef148add15caa89130fd8f38c0b1fab6d789bd2328663a0f9c979a781

SHA512
1003533dedcec8759fb3166b843b8297970f733367770870284316d533ee414cc33a85dbd30878a1092d17a32299f7799fed6ad5debcd1871dc35fe7db0de973

Download Submit
C:\Users\Admin\AppData\Local\Temp\{41899~1\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\{463AC~1\HidGuardian.sys

Filesize
36KB

MD5
7ff3b4842c374d8b4a6b5f73ef4937b0

SHA1
3560a98e4f8051f51767ee094787896b01401674

SHA256
7853f2b2ac260a5ea9fc70e08445ca83708d73a0024154debb590bf33a0c64a7

SHA512
c980795c08425e49024537dd786f01ff4148fb628e634a7386082311a68c5eccc4ac316cae87f40d0acaf80c2e111a0cfbc806aeaaee4b980fbb7e8a82a018b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{463AC~1\WDFCOI~1.DLL

Filesize
1.7MB

MD5
5487685a7fc7d49a43bf30593f7d8d9b

SHA1
ff1752e13c80b369157162722971b11f82228783

SHA256
24368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b

SHA512
ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566

Download Submit
C:\Users\Admin\AppData\Local\Temp\{463ac1fb-9512-0df5-707b-823576fe0421}\HidGuardian.cat

Filesize
11KB

MD5
ed55be0eb2910d8d7b9918eda7b0a213

SHA1
54f8ee84e102f794bc47019d2dae056c318641b5

SHA256
695bcaf8328c7d207c3c9f1bf45deda8e82bd29aa1c542f3b61a8321b1f4b9f9

SHA512
f2558f84f35dc1801e32a3b06d25d452a4e4a66c8048416d5e22d4f2756cfb88f92da4011461c4e85c0e2468ac1a59ede72089cbb72aa22f3ae7007ca57fe9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{463ac1fb-9512-0df5-707b-823576fe0421}\hidguardian.inf

Filesize
2KB

MD5
6b0c393b7ad7cd02d672654f16308cf8

SHA1
3d7bbd0596e7b10948e9163a65b503feed3b77d0

SHA256
e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e

SHA512
c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b

Download Submit
C:\Windows\INF\oem2.inf

Filesize
1KB

MD5
ff9b269a6447a6088a066d3942f79da1

SHA1
15ce52718e76ad99851b13de8b649d5276bdfd6f

SHA256
6e35df8b6d92964f5d37cd73a419f290260b81d3838ae439b96536f10033afb4

SHA512
89415ad9000df91d4f26c01cef31103c4eb7059485f75290aa24578138034a038fd4f1d6800cdcd865219b2e0b4008176f07b2886d959887d84bdd28d60eb6e4

Download Submit
C:\Windows\INF\oem3.inf

Filesize
2KB

MD5
6b0c393b7ad7cd02d672654f16308cf8

SHA1
3d7bbd0596e7b10948e9163a65b503feed3b77d0

SHA256
e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e

SHA512
c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
192KB

MD5
630ed84e3f48b9a6d3ac91c6102aea2d

SHA1
bfd5d1e598c2d4f1c3a45c6fff1aa0f729017246

SHA256
be3484b5ab7ed36a1e7bbad747362e721b64ca7931f8287ffba64c8fbe61ce13

SHA512
6faef07564b1f88cb05b1f16ab8436cb4502768e44d80f61df6248c325c0b44e5b0417e378f6f963977032d14a6abb8701667d0bf477a23bcb7717169462fccc

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\HIDGUA~1.INF\HidGuardian.sys

Filesize
36KB

MD5
7ff3b4842c374d8b4a6b5f73ef4937b0

SHA1
3560a98e4f8051f51767ee094787896b01401674

SHA256
7853f2b2ac260a5ea9fc70e08445ca83708d73a0024154debb590bf33a0c64a7

SHA512
c980795c08425e49024537dd786f01ff4148fb628e634a7386082311a68c5eccc4ac316cae87f40d0acaf80c2e111a0cfbc806aeaaee4b980fbb7e8a82a018b8

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\VIGEMB~1.INF\ViGEmBus.sys

Filesize
51KB

MD5
743e5c7578f5109f2da691eb494ec442

SHA1
413c4c841ff0852e5e49e906f6703eefb9c82a0f

SHA256
e115bf3ef148add15caa89130fd8f38c0b1fab6d789bd2328663a0f9c979a781

SHA512
1003533dedcec8759fb3166b843b8297970f733367770870284316d533ee414cc33a85dbd30878a1092d17a32299f7799fed6ad5debcd1871dc35fe7db0de973

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\VIGEMB~1.INF\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_neutral_60308048514a1516\HidGuardian.cat

Filesize
11KB

MD5
ed55be0eb2910d8d7b9918eda7b0a213

SHA1
54f8ee84e102f794bc47019d2dae056c318641b5

SHA256
695bcaf8328c7d207c3c9f1bf45deda8e82bd29aa1c542f3b61a8321b1f4b9f9

SHA512
f2558f84f35dc1801e32a3b06d25d452a4e4a66c8048416d5e22d4f2756cfb88f92da4011461c4e85c0e2468ac1a59ede72089cbb72aa22f3ae7007ca57fe9f3

Download Submit
C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_neutral_60308048514a1516\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
5487685a7fc7d49a43bf30593f7d8d9b

SHA1
ff1752e13c80b369157162722971b11f82228783

SHA256
24368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b

SHA512
ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566

Download Submit
C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_neutral_60308048514a1516\hidguardian.PNF

Filesize
7KB

MD5
0da429560f024873deb1cef1d49f40bf

SHA1
d657c5826e2a7fcfef5f918c90517a8a2205eb63

SHA256
65ab5ded22ef6ff84e6183dc9976d8e2f1fe7573949d4cccfb0b839c87a8fdca

SHA512
2f4e6decaf94987b9aaddb336fcbf0ac9cc8ea90adb374c250d8f73bcec184dd17a37167992f81000d5647c9879ec8d4da04e06c70730732c7e2a8611ee40488

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_neutral_b1c1565bbc39cfc3\ViGEmBus.cat

Filesize
11KB

MD5
166bdd14bcaf7d186297fdfb9fe0cdaa

SHA1
8782f724ad26e8061281db62f13ad903263371a2

SHA256
714b24e8d3a28a4935e699cdb1e9ff1da9421cc47cf7e412564d10939822724a

SHA512
f6e43d553b10ded73d763541f7cff3bb342d98b05815f4af0d0e404bd01ba845b732904eb604aa1b86daa3fbcde194af08d61d3da78e79041544f677e780faf0

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_neutral_b1c1565bbc39cfc3\vigembus.PNF

Filesize
7KB

MD5
eb1b79337c86bdcc3c2285a8134eb91e

SHA1
8f3f9bac511c8e9def9b9101688f394162391e5f

SHA256
58f858a1a7e76c3a850a83dc388c5e0237040e20a4d7e95cc8c68061e56a8de2

SHA512
628f28eb6fe62bf1bc7c8711c537356ce85aa39e89cf7578ed2f4443ebfdf7306272fb6941f008d9d4ca749c61cac400893889688d2ab38e12a7b9e36512b1aa

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
cdb45a988ccb2a4adadcf0d806290da0

SHA1
a0a74cbbd591da824fb610c6a52252d5ac56704d

SHA256
a2b3e837c066d71827b046b6ee5fc799c029fc8fdb550501a48ce40fb213eeda

SHA512
7a5643bd71b54490745da1e93f459a7c7c1fc64969d2d3621812f6945630a32b085df2a5365af89533a001d17f3494fe161ca3150247542d270a0b4125a64ecc

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
c853e59567efd96b61fe6c948a4fb28d

SHA1
7f032780fcf1c9486b0f7f8c8335a51d6e019a17

SHA256
39fdfe9c52aa537805120989fbc14a85f3d72fcd4d3da317efeef87386feba3c

SHA512
f2afa9e87a4b44e5541abc940c64dab06ecb6285add315037768bd5b0d25e54885a875d6224aca4209e1f85388d29b5ea65db11d00f02e2e6ff95d52c9074ca0

Download Submit
C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5E8.tmp

Filesize
36KB

MD5
7ff3b4842c374d8b4a6b5f73ef4937b0

SHA1
3560a98e4f8051f51767ee094787896b01401674

SHA256
7853f2b2ac260a5ea9fc70e08445ca83708d73a0024154debb590bf33a0c64a7

SHA512
c980795c08425e49024537dd786f01ff4148fb628e634a7386082311a68c5eccc4ac316cae87f40d0acaf80c2e111a0cfbc806aeaaee4b980fbb7e8a82a018b8

Download Submit
C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5E9.tmp

Filesize
1.7MB

MD5
5487685a7fc7d49a43bf30593f7d8d9b

SHA1
ff1752e13c80b369157162722971b11f82228783

SHA256
24368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b

SHA512
ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566

Download Submit
C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB5FA.tmp

Filesize
11KB

MD5
ed55be0eb2910d8d7b9918eda7b0a213

SHA1
54f8ee84e102f794bc47019d2dae056c318641b5

SHA256
695bcaf8328c7d207c3c9f1bf45deda8e82bd29aa1c542f3b61a8321b1f4b9f9

SHA512
f2558f84f35dc1801e32a3b06d25d452a4e4a66c8048416d5e22d4f2756cfb88f92da4011461c4e85c0e2468ac1a59ede72089cbb72aa22f3ae7007ca57fe9f3

Download Submit
C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\SETB61A.tmp

Filesize
2KB

MD5
6b0c393b7ad7cd02d672654f16308cf8

SHA1
3d7bbd0596e7b10948e9163a65b503feed3b77d0

SHA256
e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e

SHA512
c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b

Download Submit
C:\Windows\System32\DriverStore\Temp\{343183fc-adc7-46bd-2d69-8e0be04f1f3c}\hidguardian.inf

Filesize
2KB

MD5
6b0c393b7ad7cd02d672654f16308cf8

SHA1
3d7bbd0596e7b10948e9163a65b503feed3b77d0

SHA256
e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e

SHA512
c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b

Download Submit
C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET118E.tmp

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET125A.tmp

Filesize
11KB

MD5
166bdd14bcaf7d186297fdfb9fe0cdaa

SHA1
8782f724ad26e8061281db62f13ad903263371a2

SHA256
714b24e8d3a28a4935e699cdb1e9ff1da9421cc47cf7e412564d10939822724a

SHA512
f6e43d553b10ded73d763541f7cff3bb342d98b05815f4af0d0e404bd01ba845b732904eb604aa1b86daa3fbcde194af08d61d3da78e79041544f677e780faf0

Download Submit
C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET125B.tmp

Filesize
1KB

MD5
ff9b269a6447a6088a066d3942f79da1

SHA1
15ce52718e76ad99851b13de8b649d5276bdfd6f

SHA256
6e35df8b6d92964f5d37cd73a419f290260b81d3838ae439b96536f10033afb4

SHA512
89415ad9000df91d4f26c01cef31103c4eb7059485f75290aa24578138034a038fd4f1d6800cdcd865219b2e0b4008176f07b2886d959887d84bdd28d60eb6e4

Download Submit
C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\SET126C.tmp

Filesize
51KB

MD5
743e5c7578f5109f2da691eb494ec442

SHA1
413c4c841ff0852e5e49e906f6703eefb9c82a0f

SHA256
e115bf3ef148add15caa89130fd8f38c0b1fab6d789bd2328663a0f9c979a781

SHA512
1003533dedcec8759fb3166b843b8297970f733367770870284316d533ee414cc33a85dbd30878a1092d17a32299f7799fed6ad5debcd1871dc35fe7db0de973

Download Submit
C:\Windows\System32\DriverStore\Temp\{3fe37577-06ce-1dcd-7c65-c873caf8d415}\vigembus.inf

Filesize
1KB

MD5
ff9b269a6447a6088a066d3942f79da1

SHA1
15ce52718e76ad99851b13de8b649d5276bdfd6f

SHA256
6e35df8b6d92964f5d37cd73a419f290260b81d3838ae439b96536f10033afb4

SHA512
89415ad9000df91d4f26c01cef31103c4eb7059485f75290aa24578138034a038fd4f1d6800cdcd865219b2e0b4008176f07b2886d959887d84bdd28d60eb6e4

Download Submit
C:\Windows\Temp\Cab12D8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1329.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\setupact.log

Filesize
22KB

MD5
4615c0157f849b2615e7d65c90dd21d9

SHA1
470eafb9d2447ac64dac46df1752a6142bf8cbcc

SHA256
5de4b65f1e35d61448aa5b4bb367a9262bbd68819c2e9b62ce1d127531b25543

SHA512
e474e06c0f0112d74487a3a8977ab80fbb9fdbba11f80857fd29346e62bcba9330de8374d39feb0661dbc820110305ed27cdaaeb382b28d7a90f949d264203ed

Download Submit
C:\Windows\setupact.log

Filesize
22KB

MD5
698650442d271967e933e961d844bd20

SHA1
5a39c39d318534f0b45adfc43e16599b4292aa57

SHA256
e3e77bc17cd9329e0fc242a2509e8512c19225949ccbc36232467335f95e5d03

SHA512
d82983b313de061e85b77139e11714f7f88a87db48a00302b4c1e8b3261de7660aa630f1c803571bbd582fd3a852d9d19549408ecff5b1ebb906a42a57c81eb1

Download Submit
C:\Windows\system32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\SETF059.tmp

Filesize
1.7MB

MD5
5487685a7fc7d49a43bf30593f7d8d9b

SHA1
ff1752e13c80b369157162722971b11f82228783

SHA256
24368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b

SHA512
ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566

Download Submit
\Windows\System32\SETF059.tmp

Filesize
1.7MB

MD5
5487685a7fc7d49a43bf30593f7d8d9b

SHA1
ff1752e13c80b369157162722971b11f82228783

SHA256
24368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b

SHA512
ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
\Windows\System32\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
b391d9d1c2ee9bb3a577b49ecb5148b4

SHA1
9093586c7f96ad7321a5da9f7c47ba578d1b634f

SHA256
ac7cf4360bec3efbaa87db092da4fbd6dbbe293bd43559d895cc7913ed88b48d

SHA512
a360cdcdae32b2d588e705e5672e27ee2d521b23ccb7e177356ca8ea69c014d56978dd9cfd94a6d8fcb71a36e5b939052b07646976fe367ca6e73c8613801a66

Download Submit
memory/548-867-0x0000000019440000-0x00000000194C0000-memory.dmp

Filesize
512KB

Download
memory/548-866-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/548-865-0x0000000001300000-0x0000000001398000-memory.dmp

Filesize
608KB

Download
memory/684-239-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/820-863-0x000000001B200000-0x000000001B2E2000-memory.dmp

Filesize
904KB

Download
memory/820-864-0x000000001AEA0000-0x000000001AF20000-memory.dmp

Filesize
512KB

Download
memory/820-862-0x0000000000570000-0x00000000005A4000-memory.dmp

Filesize
208KB

Download
memory/820-861-0x0000000000A50000-0x0000000000AE8000-memory.dmp

Filesize
608KB

Download
memory/1960-638-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download