e29412d1cb7924766bc5ade31eadde6f157f30f9b6174aad217400c4b45ce197

Analysis

max time kernel
67s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e29412d1cb7924766bc5ade31eadde6f157f30f9b6174aad217400c4b45ce197.dll
Size

3.4MB
MD5

69a01415c4b3b990933b47351380127c
SHA1

7a9051b8be45853594a6952a43798f6a7702a8c3
SHA256

e29412d1cb7924766bc5ade31eadde6f157f30f9b6174aad217400c4b45ce197
SHA512

368ca8a1f28a70e460df9686385d0ca7453183406e3467376759bb8f85b57f2adb1e5f6b9fb4b0da48f3f9dd44df0629eabc2f8a2b509a6de4a50769a2b07a04
SSDEEP

24576:+V76pHUQnEXcfsfzHh/esoSPkzEcUwT6uSms+jgNb0JxGrurooa+AwhhfO8EPPPs:+V7mCV7jW228PPagxnGBluChwQpzIKX

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\VmtkmMouFiltr_0.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mouhid.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mouclass.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET7A45.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET7A45.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\VmtkmHid_0.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\SET807F.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET807F.tmp	DrvInst.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QL_Drivers\ImagePath = "\\??\\C:\\Windows\\Fonts\\QL_Drivers.sys"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
3536	devcon.exe
5112	devcon.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\VmtkmHid_0.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7527.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmtkmhid_0.inf_amd64_aaf954d05a2c7d7f\VmtkmHid_0.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E3E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\VmtkmHid_0.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\vmtkmmoufiltr_0.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E3F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\VmtkmMouFiltr_0.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7526.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E3F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmtkmmoufiltr_0.inf_amd64_75b639d4ffc4e70a\vmtkmmoufiltr_0.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmtkmmoufiltr_0.inf_amd64_75b639d4ffc4e70a\vmtkmmoufiltr_0.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmtkmhid_0.inf_amd64_aaf954d05a2c7d7f\VmtkmHid_0.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E1E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E3E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmtkmmoufiltr_0.inf_amd64_75b639d4ffc4e70a\VmtkmHid_0.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7515.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E1E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7526.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\vmtkmhid_0.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7527.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7515.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vmtkmhid_0.inf_amd64_aaf954d05a2c7d7f\vmtkmhid_0.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\VmtkmHid_0.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmtkmmoufiltr_0.inf_amd64_75b639d4ffc4e70a\VmtkmMouFiltr_0.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vmtkmhid_0.inf_amd64_aaf954d05a2c7d7f\vmtkmhid_0.inf	DrvInst.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Fonts\QL_Drivers.sys	rundll32.exe
File opened for modification	C:\Windows\Fonts\QL_Drivers.sys	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	rundll32.exe
Token: 1	2700	rundll32.exe
Token: SeCreateTokenPrivilege	2700	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	2700	rundll32.exe
Token: SeLockMemoryPrivilege	2700	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2700	rundll32.exe
Token: SeMachineAccountPrivilege	2700	rundll32.exe
Token: SeTcbPrivilege	2700	rundll32.exe
Token: SeSecurityPrivilege	2700	rundll32.exe
Token: SeTakeOwnershipPrivilege	2700	rundll32.exe
Token: SeLoadDriverPrivilege	2700	rundll32.exe
Token: SeSystemProfilePrivilege	2700	rundll32.exe
Token: SeSystemtimePrivilege	2700	rundll32.exe
Token: SeProfSingleProcessPrivilege	2700	rundll32.exe
Token: SeIncBasePriorityPrivilege	2700	rundll32.exe
Token: SeCreatePagefilePrivilege	2700	rundll32.exe
Token: SeCreatePermanentPrivilege	2700	rundll32.exe
Token: SeBackupPrivilege	2700	rundll32.exe
Token: SeRestorePrivilege	2700	rundll32.exe
Token: SeShutdownPrivilege	2700	rundll32.exe
Token: SeDebugPrivilege	2700	rundll32.exe
Token: SeAuditPrivilege	2700	rundll32.exe
Token: SeSystemEnvironmentPrivilege	2700	rundll32.exe
Token: SeChangeNotifyPrivilege	2700	rundll32.exe
Token: SeRemoteShutdownPrivilege	2700	rundll32.exe
Token: SeUndockPrivilege	2700	rundll32.exe
Token: SeSyncAgentPrivilege	2700	rundll32.exe
Token: SeEnableDelegationPrivilege	2700	rundll32.exe
Token: SeManageVolumePrivilege	2700	rundll32.exe
Token: SeImpersonatePrivilege	2700	rundll32.exe
Token: SeCreateGlobalPrivilege	2700	rundll32.exe
Token: 31	2700	rundll32.exe
Token: 32	2700	rundll32.exe
Token: 33	2700	rundll32.exe
Token: 34	2700	rundll32.exe
Token: 35	2700	rundll32.exe
Token: 36	2700	rundll32.exe
Token: 37	2700	rundll32.exe
Token: 38	2700	rundll32.exe
Token: 39	2700	rundll32.exe
Token: 40	2700	rundll32.exe
Token: 41	2700	rundll32.exe
Token: 42	2700	rundll32.exe
Token: 43	2700	rundll32.exe
Token: 44	2700	rundll32.exe
Token: 45	2700	rundll32.exe
Token: 46	2700	rundll32.exe
Token: 47	2700	rundll32.exe
Token: 48	2700	rundll32.exe
Token: SeAuditPrivilege	756	svchost.exe
Token: SeSecurityPrivilege	756	svchost.exe
Token: SeLoadDriverPrivilege	3536	devcon.exe
Token: SeRestorePrivilege	4284	DrvInst.exe
Token: SeBackupPrivilege	4284	DrvInst.exe
Token: SeLoadDriverPrivilege	4284	DrvInst.exe
Token: SeLoadDriverPrivilege	4284	DrvInst.exe
Token: SeLoadDriverPrivilege	4284	DrvInst.exe
Token: SeLoadDriverPrivilege	5112	devcon.exe
Token: SeRestorePrivilege	3656	DrvInst.exe
Token: SeBackupPrivilege	3656	DrvInst.exe
Token: SeRestorePrivilege	3656	DrvInst.exe
Token: SeBackupPrivilege	3656	DrvInst.exe
Token: SeRestorePrivilege	3656	DrvInst.exe
Token: SeBackupPrivilege	3656	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2700	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2700	832	rundll32.exe	83
PID 832 wrote to memory of 2700	832	rundll32.exe	83
PID 832 wrote to memory of 2700	832	rundll32.exe	83
PID 2700 wrote to memory of 2144	2700	rundll32.exe	84
PID 2700 wrote to memory of 2144	2700	rundll32.exe	84
PID 2144 wrote to memory of 3536	2144	cmd.exe	87
PID 2144 wrote to memory of 3536	2144	cmd.exe	87
PID 756 wrote to memory of 4320	756	svchost.exe	89
PID 756 wrote to memory of 4320	756	svchost.exe	89
PID 756 wrote to memory of 4284	756	svchost.exe	90
PID 756 wrote to memory of 4284	756	svchost.exe	90
PID 2144 wrote to memory of 5112	2144	cmd.exe	93
PID 2144 wrote to memory of 5112	2144	cmd.exe	93
PID 756 wrote to memory of 4408	756	svchost.exe	94
PID 756 wrote to memory of 4408	756	svchost.exe	94
PID 756 wrote to memory of 3656	756	svchost.exe	95
PID 756 wrote to memory of 3656	756	svchost.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e29412d1cb7924766bc5ade31eadde6f157f30f9b6174aad217400c4b45ce197.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e29412d1cb7924766bc5ade31eadde6f157f30f9b6174aad217400c4b45ce197.dll,#1
  2⤵
  - Sets service image path in registry
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\Driver_Setup.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\devcon.exe
      devcon install VmtkmHid_0.inf "{8FBC4165-480D-4230-B1DF-7B86F3E5A3CC}\HID_DEVICE"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\devcon.exe
      devcon update VmtkmMouFiltr_0.inf "HID\Vid_1bcf&Pid_05e3&Col02"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1d9d1a73-8eac-3449-a0a5-5617c349845c}\vmtkmhid_0.inf" "9" "4f780c9bb" "00000000000000B8" "WinSta0\Default" "0000000000000140" "208" "c:\users\admin\appdata\local\temp\filedef20160419\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4320
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:b2fe4818386da1dc:VHidMini.Inst:1.0.0.1:{8fbc4165-480d-4230-b1df-7b86f3e5a3cc}\hid_device," "4f780c9bb" "00000000000000B8"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1c9c308a-e678-8648-a995-24d14538c582}\vmtkmmoufiltr_0.inf" "9" "458dbf7d3" "0000000000000170" "WinSta0\Default" "0000000000000174" "208" "c:\users\admin\appdata\local\temp\filedef20160419\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4408
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "HID\VID_1BCF&PID_05E3&COL02\1&2D595CA7&0&0001" "C:\Windows\INF\oem4.inf" "oem4.inf:bcec1b19d8f58feb:HIDUAS_Inst:1.0.0.0:hid\vid_1bcf&pid_05e3&col02," "458dbf7d3" "0000000000000170"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s hidserv
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FileDef20160419\Driver_Setup.bat

Filesize
148B

MD5
ffb0bbd1166100b72cc3823baa152b2f

SHA1
dab9d0aee5ab7f2995feeacdbc6bf7710a372f0f

SHA256
f107b57123cb427fce8d635f19e63483819d48876adf9ddc05174af80cce4229

SHA512
dabe236a5df5f7d62dc8df9d8c8faf6ef27db96c43caf61d13aba5e9e9f82a5f9aa5e1fa92d239580da7e62356991c6e76f9884c66380f0e53cac68a89658fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\Driver_Setup.bat

Filesize
148B

MD5
ffb0bbd1166100b72cc3823baa152b2f

SHA1
dab9d0aee5ab7f2995feeacdbc6bf7710a372f0f

SHA256
f107b57123cb427fce8d635f19e63483819d48876adf9ddc05174af80cce4229

SHA512
dabe236a5df5f7d62dc8df9d8c8faf6ef27db96c43caf61d13aba5e9e9f82a5f9aa5e1fa92d239580da7e62356991c6e76f9884c66380f0e53cac68a89658fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\VmtkmHid_0.inf

Filesize
3KB

MD5
ac2a7db4b61118498e6d74e302335c2b

SHA1
85da16e595b994cd6e3cdcedc2ae2e5068a5640e

SHA256
20ba09ccf6d435af296bbe9e84212538094ea064128052d737f6884265de05d0

SHA512
25b0ab141032643e7c871066d909b4e331991d55ec602c6b4166ffbab3aa43a1535aae92159ac16d7fb81c5885c3f26518b5b4c2224dd26ac8534f349b2898e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\devcon.exe

Filesize
87KB

MD5
41ba1bbdd9284e49701ee94a3f446c33

SHA1
6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

SHA256
c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

SHA512
dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\devcon.exe

Filesize
87KB

MD5
41ba1bbdd9284e49701ee94a3f446c33

SHA1
6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

SHA256
c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

SHA512
dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileDef20160419\x64\devcon.exe

Filesize
87KB

MD5
41ba1bbdd9284e49701ee94a3f446c33

SHA1
6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

SHA256
c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

SHA512
dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1C9C3~1\VmtkmHid_0.cat

Filesize
8KB

MD5
69d398d45035ea070ad1d950947b8258

SHA1
f389482e8f547f08f6637005cb0312ab1c94a9cb

SHA256
f966ccfc34fca47aa0f8de37ea7eba2d89c7db14db408a20ad9cdbc28ddda097

SHA512
6186f36982795d116da883769458c74e63a0719a78026f2343e2ba0ff27367d028f72a880e07ca894e8f67aed4f758a41a386bab358cbf18eff51326119d80be

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1C9C3~1\VmtkmMouFiltr_0.sys

Filesize
7KB

MD5
3eb7619b8440e9a003c4a5a9b8acde33

SHA1
5c1d6bbe9ac62e8ce9bb5432b711fdc2e4e3b94f

SHA256
784287759ef05e815b2c486f7bc6af5077d1c9c86c4ef921e8b2039634f667a0

SHA512
eaa73dd2e6a65dff50b6a1ae1b3c3155e68849c5339c89d543e58b4ac34dbd4173e00d6deaf12b47bfe491cd001f0f3b04634364a4fb0acc73070da10ae7a0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1D9D1~1\VmtkmHid_0.cat

Filesize
8KB

MD5
69d398d45035ea070ad1d950947b8258

SHA1
f389482e8f547f08f6637005cb0312ab1c94a9cb

SHA256
f966ccfc34fca47aa0f8de37ea7eba2d89c7db14db408a20ad9cdbc28ddda097

SHA512
6186f36982795d116da883769458c74e63a0719a78026f2343e2ba0ff27367d028f72a880e07ca894e8f67aed4f758a41a386bab358cbf18eff51326119d80be

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1D9D1~1\VmtkmHid_0.sys

Filesize
11KB

MD5
15be41abe19a4c66d9e94ff5afee1822

SHA1
e47dca6ade9843a5ee6d6f100d12bcc06bee5f06

SHA256
da484327e2601a56f90d2ad2a040150171548fe8aeac8332c8f27c9ac6054fbb

SHA512
dcec2d963cee7c26190686c93cd28b4fa17d4c54ca0cf1e231603dc445a17685f43d4fab5e0d1e6b1e6b2bc8aac5617542068064d9639f150e6e77e2e2709c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1c9c308a-e678-8648-a995-24d14538c582}\vmtkmmoufiltr_0.inf

Filesize
2KB

MD5
c96843464c7474150b481cb5f0075c22

SHA1
9fb1a53cbe5c6e9adcb3fd061fc9f292a648a1e5

SHA256
006850d8035f5e776c34ceaf90d292b8ff83e9457e5b32e118e6d5b4a755ca40

SHA512
303bd7f8e9c04f755eb3e0bce867a16be10dbfccc25e98e4e12fa9d51241bb67e27dcac8c0ec0eebc1a20c043cd3e78e0766b879b3ffb69e00bdfe31f07dc0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1c9c308a-e678-8648-a995-24d14538c582}\vmtkmmoufiltr_0.inf

Filesize
2KB

MD5
c96843464c7474150b481cb5f0075c22

SHA1
9fb1a53cbe5c6e9adcb3fd061fc9f292a648a1e5

SHA256
006850d8035f5e776c34ceaf90d292b8ff83e9457e5b32e118e6d5b4a755ca40

SHA512
303bd7f8e9c04f755eb3e0bce867a16be10dbfccc25e98e4e12fa9d51241bb67e27dcac8c0ec0eebc1a20c043cd3e78e0766b879b3ffb69e00bdfe31f07dc0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1d9d1a73-8eac-3449-a0a5-5617c349845c}\vmtkmhid_0.inf

Filesize
3KB

MD5
ac2a7db4b61118498e6d74e302335c2b

SHA1
85da16e595b994cd6e3cdcedc2ae2e5068a5640e

SHA256
20ba09ccf6d435af296bbe9e84212538094ea064128052d737f6884265de05d0

SHA512
25b0ab141032643e7c871066d909b4e331991d55ec602c6b4166ffbab3aa43a1535aae92159ac16d7fb81c5885c3f26518b5b4c2224dd26ac8534f349b2898e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1d9d1a73-8eac-3449-a0a5-5617c349845c}\vmtkmhid_0.inf

Filesize
3KB

MD5
ac2a7db4b61118498e6d74e302335c2b

SHA1
85da16e595b994cd6e3cdcedc2ae2e5068a5640e

SHA256
20ba09ccf6d435af296bbe9e84212538094ea064128052d737f6884265de05d0

SHA512
25b0ab141032643e7c871066d909b4e331991d55ec602c6b4166ffbab3aa43a1535aae92159ac16d7fb81c5885c3f26518b5b4c2224dd26ac8534f349b2898e0

Download Submit
C:\Windows\INF\oem3.inf

Filesize
3KB

MD5
ac2a7db4b61118498e6d74e302335c2b

SHA1
85da16e595b994cd6e3cdcedc2ae2e5068a5640e

SHA256
20ba09ccf6d435af296bbe9e84212538094ea064128052d737f6884265de05d0

SHA512
25b0ab141032643e7c871066d909b4e331991d55ec602c6b4166ffbab3aa43a1535aae92159ac16d7fb81c5885c3f26518b5b4c2224dd26ac8534f349b2898e0

Download Submit
C:\Windows\INF\oem4.inf

Filesize
2KB

MD5
c96843464c7474150b481cb5f0075c22

SHA1
9fb1a53cbe5c6e9adcb3fd061fc9f292a648a1e5

SHA256
006850d8035f5e776c34ceaf90d292b8ff83e9457e5b32e118e6d5b4a755ca40

SHA512
303bd7f8e9c04f755eb3e0bce867a16be10dbfccc25e98e4e12fa9d51241bb67e27dcac8c0ec0eebc1a20c043cd3e78e0766b879b3ffb69e00bdfe31f07dc0d4

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
146KB

MD5
9af209754453a04f64d1948cf9f7a7a4

SHA1
a37bb4a00c522c9f3dfa29bc1e6aeb5c0a2f3a54

SHA256
4dedd1155e8fc236e61f6beff6768520b0269be3a6f171be40ca90fa6b138dd8

SHA512
1117448dedd0d07e4ecbb387abf50a6a97a196816ffde9c5aab3352074250eee8174ad1206fa10b9144ddf3b68ef0e6dafac841a5964f96a06166f06d16d7858

Download Submit
C:\Windows\System32\DriverStore\FileRepository\VMTKMH~1.INF\VmtkmHid_0.sys

Filesize
11KB

MD5
15be41abe19a4c66d9e94ff5afee1822

SHA1
e47dca6ade9843a5ee6d6f100d12bcc06bee5f06

SHA256
da484327e2601a56f90d2ad2a040150171548fe8aeac8332c8f27c9ac6054fbb

SHA512
dcec2d963cee7c26190686c93cd28b4fa17d4c54ca0cf1e231603dc445a17685f43d4fab5e0d1e6b1e6b2bc8aac5617542068064d9639f150e6e77e2e2709c41

Download Submit
C:\Windows\System32\DriverStore\FileRepository\VMTKMM~1.INF\VmtkmMouFiltr_0.sys

Filesize
7KB

MD5
3eb7619b8440e9a003c4a5a9b8acde33

SHA1
5c1d6bbe9ac62e8ce9bb5432b711fdc2e4e3b94f

SHA256
784287759ef05e815b2c486f7bc6af5077d1c9c86c4ef921e8b2039634f667a0

SHA512
eaa73dd2e6a65dff50b6a1ae1b3c3155e68849c5339c89d543e58b4ac34dbd4173e00d6deaf12b47bfe491cd001f0f3b04634364a4fb0acc73070da10ae7a0f5

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vmtkmhid_0.inf_amd64_aaf954d05a2c7d7f\vmtkmhid_0.inf

Filesize
3KB

MD5
ac2a7db4b61118498e6d74e302335c2b

SHA1
85da16e595b994cd6e3cdcedc2ae2e5068a5640e

SHA256
20ba09ccf6d435af296bbe9e84212538094ea064128052d737f6884265de05d0

SHA512
25b0ab141032643e7c871066d909b4e331991d55ec602c6b4166ffbab3aa43a1535aae92159ac16d7fb81c5885c3f26518b5b4c2224dd26ac8534f349b2898e0

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vmtkmmoufiltr_0.inf_amd64_75b639d4ffc4e70a\vmtkmmoufiltr_0.inf

Filesize
2KB

MD5
c96843464c7474150b481cb5f0075c22

SHA1
9fb1a53cbe5c6e9adcb3fd061fc9f292a648a1e5

SHA256
006850d8035f5e776c34ceaf90d292b8ff83e9457e5b32e118e6d5b4a755ca40

SHA512
303bd7f8e9c04f755eb3e0bce867a16be10dbfccc25e98e4e12fa9d51241bb67e27dcac8c0ec0eebc1a20c043cd3e78e0766b879b3ffb69e00bdfe31f07dc0d4

Download Submit
C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7515.tmp

Filesize
8KB

MD5
69d398d45035ea070ad1d950947b8258

SHA1
f389482e8f547f08f6637005cb0312ab1c94a9cb

SHA256
f966ccfc34fca47aa0f8de37ea7eba2d89c7db14db408a20ad9cdbc28ddda097

SHA512
6186f36982795d116da883769458c74e63a0719a78026f2343e2ba0ff27367d028f72a880e07ca894e8f67aed4f758a41a386bab358cbf18eff51326119d80be

Download Submit
C:\Windows\System32\DriverStore\Temp\{2e044234-feb3-1b46-b8bb-e208199d300e}\SET7527.tmp

Filesize
11KB

MD5
15be41abe19a4c66d9e94ff5afee1822

SHA1
e47dca6ade9843a5ee6d6f100d12bcc06bee5f06

SHA256
da484327e2601a56f90d2ad2a040150171548fe8aeac8332c8f27c9ac6054fbb

SHA512
dcec2d963cee7c26190686c93cd28b4fa17d4c54ca0cf1e231603dc445a17685f43d4fab5e0d1e6b1e6b2bc8aac5617542068064d9639f150e6e77e2e2709c41

Download Submit
C:\Windows\System32\DriverStore\Temp\{c11ae73c-96f5-024d-ae1e-83994296212d}\SET7E3F.tmp

Filesize
7KB

MD5
3eb7619b8440e9a003c4a5a9b8acde33

SHA1
5c1d6bbe9ac62e8ce9bb5432b711fdc2e4e3b94f

SHA256
784287759ef05e815b2c486f7bc6af5077d1c9c86c4ef921e8b2039634f667a0

SHA512
eaa73dd2e6a65dff50b6a1ae1b3c3155e68849c5339c89d543e58b4ac34dbd4173e00d6deaf12b47bfe491cd001f0f3b04634364a4fb0acc73070da10ae7a0f5

Download Submit
\??\c:\users\admin\appdata\local\temp\FILEDE~1\x64\VMTKMH~1.SYS

Filesize
11KB

MD5
15be41abe19a4c66d9e94ff5afee1822

SHA1
e47dca6ade9843a5ee6d6f100d12bcc06bee5f06

SHA256
da484327e2601a56f90d2ad2a040150171548fe8aeac8332c8f27c9ac6054fbb

SHA512
dcec2d963cee7c26190686c93cd28b4fa17d4c54ca0cf1e231603dc445a17685f43d4fab5e0d1e6b1e6b2bc8aac5617542068064d9639f150e6e77e2e2709c41

Download Submit
\??\c:\users\admin\appdata\local\temp\FILEDE~1\x64\VMTKMM~1.SYS

Filesize
7KB

MD5
3eb7619b8440e9a003c4a5a9b8acde33

SHA1
5c1d6bbe9ac62e8ce9bb5432b711fdc2e4e3b94f

SHA256
784287759ef05e815b2c486f7bc6af5077d1c9c86c4ef921e8b2039634f667a0

SHA512
eaa73dd2e6a65dff50b6a1ae1b3c3155e68849c5339c89d543e58b4ac34dbd4173e00d6deaf12b47bfe491cd001f0f3b04634364a4fb0acc73070da10ae7a0f5

Download Submit
\??\c:\users\admin\appdata\local\temp\filedef20160419\x64\VmtkmHid_0.cat

Filesize
8KB

MD5
69d398d45035ea070ad1d950947b8258

SHA1
f389482e8f547f08f6637005cb0312ab1c94a9cb

SHA256
f966ccfc34fca47aa0f8de37ea7eba2d89c7db14db408a20ad9cdbc28ddda097

SHA512
6186f36982795d116da883769458c74e63a0719a78026f2343e2ba0ff27367d028f72a880e07ca894e8f67aed4f758a41a386bab358cbf18eff51326119d80be

Download Submit
\??\c:\users\admin\appdata\local\temp\filedef20160419\x64\vmtkmmoufiltr_0.inf

Filesize
2KB

MD5
c96843464c7474150b481cb5f0075c22

SHA1
9fb1a53cbe5c6e9adcb3fd061fc9f292a648a1e5

SHA256
006850d8035f5e776c34ceaf90d292b8ff83e9457e5b32e118e6d5b4a755ca40

SHA512
303bd7f8e9c04f755eb3e0bce867a16be10dbfccc25e98e4e12fa9d51241bb67e27dcac8c0ec0eebc1a20c043cd3e78e0766b879b3ffb69e00bdfe31f07dc0d4

Download Submit
memory/2700-140-0x0000000000B00000-0x0000000000B3C000-memory.dmp

Filesize
240KB

Download
memory/2700-143-0x00000000025D0000-0x000000000268F000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads