899428ab80fd8631cfebe1866105c00e8f8941d48fab310d25e3d807df43dda2

Analysis

max time kernel
45s
max time network
51s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10/06/2023, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usb_network_gate.exe
Size

5.6MB
MD5

4f2da6f219f49011c4359ab11960e908
SHA1

8fa54635c41daf63721504b7996a9c594ba7842a
SHA256

899428ab80fd8631cfebe1866105c00e8f8941d48fab310d25e3d807df43dda2
SHA512

5a196977254e26fdf5187a9cbeb0bb8b4f091df3157c2d93c60831c039b8d3cc38f47b3aad11373f791e57aa994f09dc5dbdf19a87024cd6e68d7c24311d65b3
SSDEEP

98304:ULkzAUDjQSBP8nKkStjLpIRjQVxWaldytMSY0XvYWAH968gLw:lEUDjTBUKk0ZSpal0EgYWKgLw

Score

8^/10

discovery evasion

Malware Config

Signatures

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\eusbstub.sys	DrvInst.exe
File created	C:\Windows\system32\drivers\fusbhub.sys	setup_server_ung.exe
File opened for modification	C:\Windows\System32\drivers\eusbstub.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETF5DE.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF5DE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\vuhub.sys	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF736.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETF736.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETF005.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF005.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETF69A.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF69A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\eusbstub.sys	DrvInst.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4764	netsh.exe
4904	netsh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UsbService64.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\SETEF86.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\eusbstub.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\SETF449.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\SETEF85.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\vuh.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\vuh.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\vuh.PNF	setup_server_ung.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD	UsbService64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD	UsbService64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\SETEF86.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\vuh.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\UsbStub.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\564F5106D1B6452FFC2C012EF7A0C9F7	UsbService64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\564F5106D1B6452FFC2C012EF7A0C9F7	UsbService64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\UsbStub.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\SETF44A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\SETF44A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\UsbOverTcp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\SETEF85.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\SETF438.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\eusbstub.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\usbstub.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\UsbOverTcp.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\SETEF97.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\UsbOverTcp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\SETF438.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\SETF449.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\UsbOverTcp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47342e2c-2ad3-4f43-84fd-6bd5cce70d57}\vuhub.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ba81dc0d-0b32-cd4c-8fbf-f9f480b370d8}\SETEF97.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\vuhub.sys	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\AutoUpdate.dll	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\appstatico64.dll	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-3D4N1.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-3PLCP.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-1A818.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-3KPUU.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-QK32Q.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-SIGUO.tmp	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\crypt64.dll	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-59S8Q.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-ALQSR.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-GL024.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-3SPBL.tmp	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\u2ec.dll	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\usb4rdp64.dll	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\unins000.dat	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-B76HP.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-CR9I9.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-G9U8R.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-0J44N.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-GJ4HD.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-IDKVS.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-MCMAA.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-DCPOK.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-TH1VE.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-AGSDK.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-5OSAI.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-L00CD.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-OJK3Q.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\unins000.msg	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\setup_server_ung.exe	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-9IMU1.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-I2CVQ.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-9MSVV.tmp	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\usb4citrix.dll	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-CB4Q6.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-FL45H.tmp	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\u2ec.log	UsbService64.exe
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\UsbConfig.exe	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\auth64.dll	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\is-CSKO1.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\locale\is-M7NN4.tmp	usb_network_gate.tmp
File created	C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\is-S7OOQ.tmp	usb_network_gate.tmp
File opened for modification	C:\Program Files\Electronic Team\USB Network Gate\unins000.dat	usb_network_gate.tmp

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem4.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	setup_server_ung.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe

Executes dropped EXE 7 IoCs

pid	Process
4648	usb_network_gate.tmp
2740	_setup64.tmp
5020	setup_server_ung.exe
4244	UsbService64.exe
4800	UsbService64.exe
4544	UsbService64.exe
4628	UsbService64.exe

Loads dropped DLL 3 IoCs

pid	Process
4648	usb_network_gate.tmp
4244	UsbService64.exe
4628	UsbService64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	setup_server_ung.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UsbService64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	UsbService64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UsbService64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	UsbService64.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	UsbService64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	UsbService64.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UsbService64.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\SystemCertificates\CA\Certificates\070A726C6E4418DCF0213874F0C16D93B041E935	UsbService64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\SystemCertificates\CA\Certificates\070A726C6E4418DCF0213874F0C16D93B041E935\Blob = 030000000100000014000000070a726c6e4418dcf0213874f0c16d93b041e935140000000100000014000000f9fb50c48b67bb6764fe8321a6a9ce3f558493990400000001000000100000004e81909e43b318667d7323517b5bcbb90f0000000100000030000000518cd1b2fa328ef6460153004e346852465cf0948d9a37adc3b04a2aad82ac463564c5603e6b155553db2309a8f7bc9b190000000100000010000000d03d161306c6a58ca6af506e1375d7e65c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000db050000308205d7308203bfa003020102021100938bb08e62987b4f75f98cb6a5045c96300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138303930363030303030305a170d3238303930353233353935395a304c310b3009060355040613024c56310d300b06035504071304526967613111300f060355040a1308476f47657453534c311b301906035504031312476f47657453534c2052534120445620434130820122300d06092a864886f70d01010105000382010f003082010a02820101009fc05e210fa13590b8255ecd67d9f1f9bcc42e9021b2c83e0ba8bb1cde94b37a1f307bb9e35384c1f39047e585ea71fc221f549fefc681864d45817a00677110ac5e3d59ef269d3b533c54673301072c946963d23ffa978a78064d2f43091b9cccfbd826712a4839323aa7b30f7a56bbda0d290508f0704c582ea14556c9eba043d34519667d3053462f6beeb61c5f021cb765540919a38d1d465f5de8a77ef4623630806bff4de62a51690d8848d636c9050c47f149cd187e8070c0a74f35fa7ab7fe7e46c16796040ab2d9852d06db10db1d504a73584bd95290c2e2a3ef46bc4429c174b8ba198449f186c9305d24c2eb804db5cfa554493bfe0fdb7bcb2f0203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414f9fb50c48b67bb6764fe8321a6a9ce3f55849399300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b231010202403008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005d7443287880e433a134ab33b706b273caad94ae2a56dd9735d9735e7e11c9922c0bdf92062d17778bc60e1171e975f837f7e7c6552377334dfc1618d604b5c4aeba532de9af0f6a23c5f5d89e1eafd94d361aecbce72307c093f05caf16ef788f706ce36eeec5c4ae92161b11104020decca562a5556c53deaf0622a88461529afed7d602f9ce3030d22a0470314b6082bfc813bee17a4426db4a7b7b506e24e0dfd50edc14fb7b4fbe26ddc860faabb4c6178b23a1ec505b8ec5ced1e52425905bda558e6d9acc1f5a963eaf0872256f8558d6d3b8d5e4c51e2fe4a3903d6ad8d74d3f40debcfe3d7ba5a2ae49735cb2be7ab27b81fc3c7e30008b05db05df91f13da771efcbe47d0dfb59c566299b47ac7250fd05328f1746f1f7b332c8747fea6e5259ff3be365b05b62a6f7bca986bd87f2b9c83d2864df770a15af7bbf17ad5e2f0a98ceef9364e41f0ef42590a864c76e1920be3c9bf6ffc1fac609a81db6fcd2e547844fbdb9aa0c919e108fb8bba349e5888b21556c5fe7727c53fccd46d2b23e89df84720982816d0e0bfabee4f12aec2d8e7559414fdbddb09050cf483995ed7b143530ce66841c061d85c9c7fbc457f1780fba111c7677c3293cf343ef24b6d5d91ff9263949da526c02ad6266ea6fdabc71950310898d58915454704b0ceae76211b026e744dce057453c4d84c0e62179e311e5ab16f0194219	UsbService64.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	UsbService64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	UsbService64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UsbService64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UsbService64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4648	usb_network_gate.tmp
4648	usb_network_gate.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeAuditPrivilege	4668	svchost.exe
Token: SeSecurityPrivilege	4668	svchost.exe
Token: SeRestorePrivilege	8	DrvInst.exe
Token: SeBackupPrivilege	8	DrvInst.exe
Token: SeLoadDriverPrivilege	5020	setup_server_ung.exe
Token: SeRestorePrivilege	380	DrvInst.exe
Token: SeBackupPrivilege	380	DrvInst.exe
Token: SeLoadDriverPrivilege	380	DrvInst.exe
Token: SeLoadDriverPrivilege	380	DrvInst.exe
Token: SeLoadDriverPrivilege	380	DrvInst.exe
Token: SeRestorePrivilege	1456	DrvInst.exe
Token: SeBackupPrivilege	1456	DrvInst.exe
Token: SeLoadDriverPrivilege	1456	DrvInst.exe
Token: 33	276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	276	AUDIODG.EXE
Token: SeLoadDriverPrivilege	1456	DrvInst.exe
Token: SeLoadDriverPrivilege	1456	DrvInst.exe
Token: SeRestorePrivilege	2244	DrvInst.exe
Token: SeBackupPrivilege	2244	DrvInst.exe
Token: SeLoadDriverPrivilege	2244	DrvInst.exe
Token: SeLoadDriverPrivilege	2244	DrvInst.exe
Token: SeLoadDriverPrivilege	2244	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4648	usb_network_gate.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4648	2896	usb_network_gate.exe	66
PID 2896 wrote to memory of 4648	2896	usb_network_gate.exe	66
PID 2896 wrote to memory of 4648	2896	usb_network_gate.exe	66
PID 4648 wrote to memory of 2740	4648	usb_network_gate.tmp	67
PID 4648 wrote to memory of 2740	4648	usb_network_gate.tmp	67
PID 4648 wrote to memory of 5020	4648	usb_network_gate.tmp	69
PID 4648 wrote to memory of 5020	4648	usb_network_gate.tmp	69
PID 4668 wrote to memory of 8	4668	svchost.exe	73
PID 4668 wrote to memory of 8	4668	svchost.exe	73
PID 4668 wrote to memory of 4964	4668	svchost.exe	74
PID 4668 wrote to memory of 4964	4668	svchost.exe	74
PID 4668 wrote to memory of 380	4668	svchost.exe	75
PID 4668 wrote to memory of 380	4668	svchost.exe	75
PID 4668 wrote to memory of 1456	4668	svchost.exe	77
PID 4668 wrote to memory of 1456	4668	svchost.exe	77
PID 4668 wrote to memory of 2244	4668	svchost.exe	79
PID 4668 wrote to memory of 2244	4668	svchost.exe	79
PID 4648 wrote to memory of 4244	4648	usb_network_gate.tmp	81
PID 4648 wrote to memory of 4244	4648	usb_network_gate.tmp	81
PID 4648 wrote to memory of 4800	4648	usb_network_gate.tmp	85
PID 4648 wrote to memory of 4800	4648	usb_network_gate.tmp	85
PID 4648 wrote to memory of 4544	4648	usb_network_gate.tmp	87
PID 4648 wrote to memory of 4544	4648	usb_network_gate.tmp	87
PID 4648 wrote to memory of 4764	4648	usb_network_gate.tmp	90
PID 4648 wrote to memory of 4764	4648	usb_network_gate.tmp	90
PID 4648 wrote to memory of 4904	4648	usb_network_gate.tmp	92
PID 4648 wrote to memory of 4904	4648	usb_network_gate.tmp	92

C:\Users\Admin\AppData\Local\Temp\usb_network_gate.exe
"C:\Users\Admin\AppData\Local\Temp\usb_network_gate.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\is-3JEIG.tmp\usb_network_gate.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3JEIG.tmp\usb_network_gate.tmp" /SL5="$7007A,5352830,121344,C:\Users\Admin\AppData\Local\Temp\usb_network_gate.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\is-T3VNE.tmp\_isetup\_setup64.tmp
    helper 105 0x3D0
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\setup_server_ung.exe
    "C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\setup_server_ung.exe"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe
    "C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe" install E232F16E-D109-45DB-A1D3-DD21BEB3B75F
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    PID:4244
- - C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe
    "C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe" migrate
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe
    "C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe" enable
    3⤵
    - Executes dropped EXE
    PID:4544
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=u2ec_service dir=in action=allow program="C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4764
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=u2ec_gui dir=in action=allow program="C:\Program Files\Electronic Team\USB Network Gate\UsbConfig.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4904

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{da9dd65c-087b-c04a-980a-c4359f997bf6}\UsbStub.inf" "9" "4eb22a207" "000000000000016C" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{057f2a9c-7bce-ab45-b458-eaa1edbce8a3}\vuh.inf" "9" "425e1bb63" "0000000000000138" "WinSta0\Default" "000000000000017C" "208" "c:\program files\electronic team\usb network gate\drv\nt6x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4964
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "vuh.inf:741f41b5ee77f2a1:VUHUB_Device:7.1.1549.0:vuhub," "425e1bb63" "0000000000000138"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "0" "UsbEStub\Devices\0000" "" "" "455b45ca3" "0000000000000000"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "0" "UsbEStub\Devices\0004" "" "" "4c5c6bf7f" "0000000000000000"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe
"C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\ELECTR~1\USBNET~1\drv\NT6x64\USBOVE~1.CAT

Filesize
9KB

MD5
c8256436ce819a44b623c6a2d187ed4b

SHA1
03485e4f158bba63e10f323238656a8fd5f312e5

SHA256
ff42009f192bd6ec5e16a7cfd2366f39d3d337391d78aa5e41403375a957639c

SHA512
f6d01e074a2da87604d1106234c8db26070b261ac2ba6000990bbae0da1e123733ad04e072090c4f3cd439859cc8bbf0ed2ab426e242f9677a92746a63c9cba2

Download Submit
C:\PROGRA~1\ELECTR~1\USBNET~1\drv\NT6x64\eusbstub.sys

Filesize
41KB

MD5
874b6d8979802b45f765413c11668fea

SHA1
746b398773759bf97dfdd3437659df15b4b29fa2

SHA256
26e6d9fd4fda86ffc995f0f944101f890a86a6b23b546b8a069af6c230f82fe3

SHA512
64ff94f929b65489ae74627fcfe84311dc21c0fd2651fdb3e658db8651d4a8033a5f166e790b42d0e0550ad530a17a709f7c73e17fcd2c320e05476fd204b0fe

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbConfig.exe

Filesize
5.6MB

MD5
18c7ca5a13f2689b55a2d6b29754c945

SHA1
421775f04de52250eb26cbc12553a0b83959b179

SHA256
54e83a4a55d677828b80c7a272a12191238d1ae09b5a03ab6cddbc8a9809aae1

SHA512
5a7a87d5d494b228bcf2d8090c9bb783d63e3d1d15c72b17da41a5882bae825c5e992846225c1430e227ff038a58a964835ea6ab40eadde343087761f5fe83ff

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe

Filesize
3.6MB

MD5
f48aa83ecea00c920e1ba03554373239

SHA1
ef177072d305125798764703d8563f05200fd46a

SHA256
923d4e4ef4e9b15520914cac064df4102889934a0f667a7983811bdc8318e27a

SHA512
6f9c346e9dee22fde39f0c798a57cba4f99eb4cc2d251a10cfed4a583a3791e65720c1f4c33400516a148881105a4142e409b0f4f54aaf51c241860fe6391982

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe

Filesize
3.6MB

MD5
f48aa83ecea00c920e1ba03554373239

SHA1
ef177072d305125798764703d8563f05200fd46a

SHA256
923d4e4ef4e9b15520914cac064df4102889934a0f667a7983811bdc8318e27a

SHA512
6f9c346e9dee22fde39f0c798a57cba4f99eb4cc2d251a10cfed4a583a3791e65720c1f4c33400516a148881105a4142e409b0f4f54aaf51c241860fe6391982

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe

Filesize
3.6MB

MD5
f48aa83ecea00c920e1ba03554373239

SHA1
ef177072d305125798764703d8563f05200fd46a

SHA256
923d4e4ef4e9b15520914cac064df4102889934a0f667a7983811bdc8318e27a

SHA512
6f9c346e9dee22fde39f0c798a57cba4f99eb4cc2d251a10cfed4a583a3791e65720c1f4c33400516a148881105a4142e409b0f4f54aaf51c241860fe6391982

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe

Filesize
3.6MB

MD5
f48aa83ecea00c920e1ba03554373239

SHA1
ef177072d305125798764703d8563f05200fd46a

SHA256
923d4e4ef4e9b15520914cac064df4102889934a0f667a7983811bdc8318e27a

SHA512
6f9c346e9dee22fde39f0c798a57cba4f99eb4cc2d251a10cfed4a583a3791e65720c1f4c33400516a148881105a4142e409b0f4f54aaf51c241860fe6391982

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe

Filesize
3.6MB

MD5
f48aa83ecea00c920e1ba03554373239

SHA1
ef177072d305125798764703d8563f05200fd46a

SHA256
923d4e4ef4e9b15520914cac064df4102889934a0f667a7983811bdc8318e27a

SHA512
6f9c346e9dee22fde39f0c798a57cba4f99eb4cc2d251a10cfed4a583a3791e65720c1f4c33400516a148881105a4142e409b0f4f54aaf51c241860fe6391982

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\UsbService64.exe

Filesize
3.6MB

MD5
f48aa83ecea00c920e1ba03554373239

SHA1
ef177072d305125798764703d8563f05200fd46a

SHA256
923d4e4ef4e9b15520914cac064df4102889934a0f667a7983811bdc8318e27a

SHA512
6f9c346e9dee22fde39f0c798a57cba4f99eb4cc2d251a10cfed4a583a3791e65720c1f4c33400516a148881105a4142e409b0f4f54aaf51c241860fe6391982

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\appstatico64.dll

Filesize
874KB

MD5
80951a7cda153b71980e4a47c95b3f79

SHA1
5b1ff54ec99432bd989749f674dec5780232446a

SHA256
62b298c4516266e911042af367d7f5207ad61bc1317e03049449cdfad10f24d8

SHA512
54d5ee2ca3a4a53c4750d73e1a0c5a691d69ad62aad14f438516bccd42a3b1893fe1d29302313561706c8b3b64a1fd73dbb686c7a44765d724e58a43302dcdc5

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\UsbStub.inf

Filesize
1KB

MD5
c8ad4ce198d0e7150e97ac3574b28b7a

SHA1
6125a164683230545b698202c85c6d30126729a2

SHA256
db159d6322c121ad4e398640b85ce51a7d502a66231c6569f6955a55252d49de

SHA512
6d5c3409d7e604e9204de2d2982447f0877e361ed944d6b836b195ce9d25440e8192886647e413683b9f7875c0fc595ce13464d8c013e70c54ca01706296a944

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\fusbhub.sys

Filesize
130KB

MD5
f723872b5737b538954376c278bf5cf2

SHA1
fb80b43a5d06925485b50df2f60b62ab24345762

SHA256
69d700a975483c9bd3d244d33311c169e9ea46cac5eb8fc231d1d69c486efc25

SHA512
000f7f9f1c8efe64561d373fa2701d02d56eac20feecea70da64dfc00010f2edfe068d23c426dc6d5b9aaaed05dcf87fb013c991a8966610be424be79a6e4090

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\setup_server_ung.exe

Filesize
312KB

MD5
ffe8f8eb99a1584bf6d73d2263a29ff4

SHA1
230c17ea6914382ba11b787c2700265e12b50d6f

SHA256
73076350c2d63471a117f8060bedb525559760a83c77bafcb4129ad3ae0e3ddd

SHA512
1a0b1830e9273e683f1ee64d2447496d059bee98269faaf4c1e8d1f1be6ec9116ba02328253584ef8c2b9530d84dca81aa1791d50a65e106fd85b014c5aa69b7

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\setup_server_ung.exe

Filesize
312KB

MD5
ffe8f8eb99a1584bf6d73d2263a29ff4

SHA1
230c17ea6914382ba11b787c2700265e12b50d6f

SHA256
73076350c2d63471a117f8060bedb525559760a83c77bafcb4129ad3ae0e3ddd

SHA512
1a0b1830e9273e683f1ee64d2447496d059bee98269faaf4c1e8d1f1be6ec9116ba02328253584ef8c2b9530d84dca81aa1791d50a65e106fd85b014c5aa69b7

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\drv\NT6x64\vuh.inf

Filesize
2KB

MD5
de25c0a813ea6f9f525e9335d6712cc7

SHA1
9e3a6a9cdab4dd4b396f8022e1c12b8533aa0a93

SHA256
78566f6dcda850de765fca0805978a19669f72e03fbba108995c6240f82e2e74

SHA512
ecd0d8cefc8238dc116e41be4504b575c620ed22abfdd1baf5370fbb5b743b30d561221c862c7ce0fddf5ad0c5f50095825915c2e53f49d614e9eefd09af4c00

Download Submit
C:\Program Files\Electronic Team\USB Network Gate\unins000.exe

Filesize
1.1MB

MD5
c46c06a8125c2278d0c56ca7d6c1eafb

SHA1
3f0013fc90d848ed843e5cae794bd6c2b57ca579

SHA256
75988fd80ab99f677db171d1db74292c4838838d3c6e535cd3831bbfd71711ea

SHA512
8f9c32227108a02abd911e7a875b13882954e50960abd280b43d5187f45e0c02cc8ef15d809f3d30d604fbe77a2b49719ba512e74b7b35aea4b3a8ecfd3e19cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3JEIG.tmp\usb_network_gate.tmp

Filesize
1.1MB

MD5
c46c06a8125c2278d0c56ca7d6c1eafb

SHA1
3f0013fc90d848ed843e5cae794bd6c2b57ca579

SHA256
75988fd80ab99f677db171d1db74292c4838838d3c6e535cd3831bbfd71711ea

SHA512
8f9c32227108a02abd911e7a875b13882954e50960abd280b43d5187f45e0c02cc8ef15d809f3d30d604fbe77a2b49719ba512e74b7b35aea4b3a8ecfd3e19cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3JEIG.tmp\usb_network_gate.tmp

Filesize
1.1MB

MD5
c46c06a8125c2278d0c56ca7d6c1eafb

SHA1
3f0013fc90d848ed843e5cae794bd6c2b57ca579

SHA256
75988fd80ab99f677db171d1db74292c4838838d3c6e535cd3831bbfd71711ea

SHA512
8f9c32227108a02abd911e7a875b13882954e50960abd280b43d5187f45e0c02cc8ef15d809f3d30d604fbe77a2b49719ba512e74b7b35aea4b3a8ecfd3e19cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3VNE.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{057F2~1\UsbOverTcp.cat

Filesize
9KB

MD5
c8256436ce819a44b623c6a2d187ed4b

SHA1
03485e4f158bba63e10f323238656a8fd5f312e5

SHA256
ff42009f192bd6ec5e16a7cfd2366f39d3d337391d78aa5e41403375a957639c

SHA512
f6d01e074a2da87604d1106234c8db26070b261ac2ba6000990bbae0da1e123733ad04e072090c4f3cd439859cc8bbf0ed2ab426e242f9677a92746a63c9cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{057F2~1\vuhub.sys

Filesize
159KB

MD5
9a8afb19060e40ec547753451897b60e

SHA1
8895f1c7037771b60f08331ec2575ea249131b08

SHA256
33f78c7a432d68501fe0844632c4d86d5316385fc3682b5bfbce52ac43b94407

SHA512
303f83adaee2ae3cc72c269f073ec34e90e7cd12bc0226a1736e563a86e0c78df5831e5cf1092947aba4fc0a8ac4d6989aac43d33b1b5d6bbb272895a8a05cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{057f2a9c-7bce-ab45-b458-eaa1edbce8a3}\vuh.inf

Filesize
2KB

MD5
de25c0a813ea6f9f525e9335d6712cc7

SHA1
9e3a6a9cdab4dd4b396f8022e1c12b8533aa0a93

SHA256
78566f6dcda850de765fca0805978a19669f72e03fbba108995c6240f82e2e74

SHA512
ecd0d8cefc8238dc116e41be4504b575c620ed22abfdd1baf5370fbb5b743b30d561221c862c7ce0fddf5ad0c5f50095825915c2e53f49d614e9eefd09af4c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\{057f2a9c-7bce-ab45-b458-eaa1edbce8a3}\vuh.inf

Filesize
2KB

MD5
de25c0a813ea6f9f525e9335d6712cc7

SHA1
9e3a6a9cdab4dd4b396f8022e1c12b8533aa0a93

SHA256
78566f6dcda850de765fca0805978a19669f72e03fbba108995c6240f82e2e74

SHA512
ecd0d8cefc8238dc116e41be4504b575c620ed22abfdd1baf5370fbb5b743b30d561221c862c7ce0fddf5ad0c5f50095825915c2e53f49d614e9eefd09af4c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\{057f2a9c-7bce-ab45-b458-eaa1edbce8a3}\vuhub.sys

Filesize
159KB

MD5
9a8afb19060e40ec547753451897b60e

SHA1
8895f1c7037771b60f08331ec2575ea249131b08

SHA256
33f78c7a432d68501fe0844632c4d86d5316385fc3682b5bfbce52ac43b94407

SHA512
303f83adaee2ae3cc72c269f073ec34e90e7cd12bc0226a1736e563a86e0c78df5831e5cf1092947aba4fc0a8ac4d6989aac43d33b1b5d6bbb272895a8a05cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA9DD~1\UsbOverTcp.cat

Filesize
9KB

MD5
c8256436ce819a44b623c6a2d187ed4b

SHA1
03485e4f158bba63e10f323238656a8fd5f312e5

SHA256
ff42009f192bd6ec5e16a7cfd2366f39d3d337391d78aa5e41403375a957639c

SHA512
f6d01e074a2da87604d1106234c8db26070b261ac2ba6000990bbae0da1e123733ad04e072090c4f3cd439859cc8bbf0ed2ab426e242f9677a92746a63c9cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA9DD~1\eusbstub.sys

Filesize
41KB

MD5
874b6d8979802b45f765413c11668fea

SHA1
746b398773759bf97dfdd3437659df15b4b29fa2

SHA256
26e6d9fd4fda86ffc995f0f944101f890a86a6b23b546b8a069af6c230f82fe3

SHA512
64ff94f929b65489ae74627fcfe84311dc21c0fd2651fdb3e658db8651d4a8033a5f166e790b42d0e0550ad530a17a709f7c73e17fcd2c320e05476fd204b0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da9dd65c-087b-c04a-980a-c4359f997bf6}\UsbOverTcp.cat

Filesize
9KB

MD5
c8256436ce819a44b623c6a2d187ed4b

SHA1
03485e4f158bba63e10f323238656a8fd5f312e5

SHA256
ff42009f192bd6ec5e16a7cfd2366f39d3d337391d78aa5e41403375a957639c

SHA512
f6d01e074a2da87604d1106234c8db26070b261ac2ba6000990bbae0da1e123733ad04e072090c4f3cd439859cc8bbf0ed2ab426e242f9677a92746a63c9cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da9dd65c-087b-c04a-980a-c4359f997bf6}\UsbStub.inf

Filesize
1KB

MD5
c8ad4ce198d0e7150e97ac3574b28b7a

SHA1
6125a164683230545b698202c85c6d30126729a2

SHA256
db159d6322c121ad4e398640b85ce51a7d502a66231c6569f6955a55252d49de

SHA512
6d5c3409d7e604e9204de2d2982447f0877e361ed944d6b836b195ce9d25440e8192886647e413683b9f7875c0fc595ce13464d8c013e70c54ca01706296a944

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da9dd65c-087b-c04a-980a-c4359f997bf6}\UsbStub.inf

Filesize
1KB

MD5
c8ad4ce198d0e7150e97ac3574b28b7a

SHA1
6125a164683230545b698202c85c6d30126729a2

SHA256
db159d6322c121ad4e398640b85ce51a7d502a66231c6569f6955a55252d49de

SHA512
6d5c3409d7e604e9204de2d2982447f0877e361ed944d6b836b195ce9d25440e8192886647e413683b9f7875c0fc595ce13464d8c013e70c54ca01706296a944

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da9dd65c-087b-c04a-980a-c4359f997bf6}\eusbstub.sys

Filesize
41KB

MD5
874b6d8979802b45f765413c11668fea

SHA1
746b398773759bf97dfdd3437659df15b4b29fa2

SHA256
26e6d9fd4fda86ffc995f0f944101f890a86a6b23b546b8a069af6c230f82fe3

SHA512
64ff94f929b65489ae74627fcfe84311dc21c0fd2651fdb3e658db8651d4a8033a5f166e790b42d0e0550ad530a17a709f7c73e17fcd2c320e05476fd204b0fe

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
7KB

MD5
685bdb752aed15cb9c896141b10a925b

SHA1
07da6a8b5a76b71897aee8dac9408da1ff57228a

SHA256
a5bc30768177bac1e6229db8d5a7cf0051a88cc64dfb37cf982a38574a1f88a5

SHA512
40d832f729d71c5521e29af33864ed460e0439e23a57c2a809d66669c2e724fe336332b49d7e6c6b1388f6d23971f1958c5c393b4771008ee870a805e78ebac0

Download Submit
C:\Windows\INF\oem3.inf

Filesize
1KB

MD5
c8ad4ce198d0e7150e97ac3574b28b7a

SHA1
6125a164683230545b698202c85c6d30126729a2

SHA256
db159d6322c121ad4e398640b85ce51a7d502a66231c6569f6955a55252d49de

SHA512
6d5c3409d7e604e9204de2d2982447f0877e361ed944d6b836b195ce9d25440e8192886647e413683b9f7875c0fc595ce13464d8c013e70c54ca01706296a944

Download Submit
C:\Windows\INF\oem4.PNF

Filesize
6KB

MD5
d83b4c83a4d51ab2960047fec5d3bca8

SHA1
c8502747b92a07881fad7a269a7b9c3064a76e3b

SHA256
3e5331dd7455436aced4f89dd480f2ecd21295c8d7fe2af9aa4f950349f67b34

SHA512
d9eb1241f2555c36c6f8233447623343c5c9701826592de77c277c530bfe07ac427479a5e4b0d953ebfddd33b2bbca4b0153e42bd12effb1645c39dcec88ee29

Download Submit
C:\Windows\INF\oem4.inf

Filesize
2KB

MD5
de25c0a813ea6f9f525e9335d6712cc7

SHA1
9e3a6a9cdab4dd4b396f8022e1c12b8533aa0a93

SHA256
78566f6dcda850de765fca0805978a19669f72e03fbba108995c6240f82e2e74

SHA512
ecd0d8cefc8238dc116e41be4504b575c620ed22abfdd1baf5370fbb5b743b30d561221c862c7ce0fddf5ad0c5f50095825915c2e53f49d614e9eefd09af4c00

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
181KB

MD5
fa14602aab94507aeba39a4d9f4cdb50

SHA1
f0fd33d0b5bc9c8db34274dbe1b75bf790507648

SHA256
6df2b7375bc90999fae28ac0a85036f63ce1aa57721abbda3f4aeaf131d9338a

SHA512
bf9607427db5b230e39076764a607a23a74220ccea40a2afe5c3148d5319cb146fa11d9e3453e1a70e27cae00d3ddf5aae523cc8e80e182ac4c890b739942230

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\USBSTU~1.INF\eusbstub.sys

Filesize
41KB

MD5
874b6d8979802b45f765413c11668fea

SHA1
746b398773759bf97dfdd3437659df15b4b29fa2

SHA256
26e6d9fd4fda86ffc995f0f944101f890a86a6b23b546b8a069af6c230f82fe3

SHA512
64ff94f929b65489ae74627fcfe84311dc21c0fd2651fdb3e658db8651d4a8033a5f166e790b42d0e0550ad530a17a709f7c73e17fcd2c320e05476fd204b0fe

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\VUH~1.INF\vuhub.sys

Filesize
159KB

MD5
9a8afb19060e40ec547753451897b60e

SHA1
8895f1c7037771b60f08331ec2575ea249131b08

SHA256
33f78c7a432d68501fe0844632c4d86d5316385fc3682b5bfbce52ac43b94407

SHA512
303f83adaee2ae3cc72c269f073ec34e90e7cd12bc0226a1736e563a86e0c78df5831e5cf1092947aba4fc0a8ac4d6989aac43d33b1b5d6bbb272895a8a05cd5

Download Submit
C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\UsbOverTcp.cat

Filesize
9KB

MD5
c8256436ce819a44b623c6a2d187ed4b

SHA1
03485e4f158bba63e10f323238656a8fd5f312e5

SHA256
ff42009f192bd6ec5e16a7cfd2366f39d3d337391d78aa5e41403375a957639c

SHA512
f6d01e074a2da87604d1106234c8db26070b261ac2ba6000990bbae0da1e123733ad04e072090c4f3cd439859cc8bbf0ed2ab426e242f9677a92746a63c9cba2

Download Submit
C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\usbstub.PNF

Filesize
7KB

MD5
67759d1773e374d47aea2ed8eeec6a0b

SHA1
4e00d930757817008ac14154c5964e4f0d3e7110

SHA256
26a8187716800ae1a398914410640152a9279daf0fa5b383d9259cb4c9c7603f

SHA512
38e594e164de65a184a6882b6051e868f99dec81f33c3e15a68264666d2c1c3d2e1a2bd9eb38ccd8475d0901fa13c5b325ed3da4f5e8984529bff2c2d4b598dc

Download Submit
C:\Windows\System32\DriverStore\FileRepository\usbstub.inf_amd64_82db46f9cc12edde\usbstub.inf

Filesize
1KB

MD5
c8ad4ce198d0e7150e97ac3574b28b7a

SHA1
6125a164683230545b698202c85c6d30126729a2

SHA256
db159d6322c121ad4e398640b85ce51a7d502a66231c6569f6955a55252d49de

SHA512
6d5c3409d7e604e9204de2d2982447f0877e361ed944d6b836b195ce9d25440e8192886647e413683b9f7875c0fc595ce13464d8c013e70c54ca01706296a944

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\UsbOverTcp.cat

Filesize
9KB

MD5
c8256436ce819a44b623c6a2d187ed4b

SHA1
03485e4f158bba63e10f323238656a8fd5f312e5

SHA256
ff42009f192bd6ec5e16a7cfd2366f39d3d337391d78aa5e41403375a957639c

SHA512
f6d01e074a2da87604d1106234c8db26070b261ac2ba6000990bbae0da1e123733ad04e072090c4f3cd439859cc8bbf0ed2ab426e242f9677a92746a63c9cba2

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vuh.inf_amd64_0061267cbdc02808\vuh.inf

Filesize
2KB

MD5
de25c0a813ea6f9f525e9335d6712cc7

SHA1
9e3a6a9cdab4dd4b396f8022e1c12b8533aa0a93

SHA256
78566f6dcda850de765fca0805978a19669f72e03fbba108995c6240f82e2e74

SHA512
ecd0d8cefc8238dc116e41be4504b575c620ed22abfdd1baf5370fbb5b743b30d561221c862c7ce0fddf5ad0c5f50095825915c2e53f49d614e9eefd09af4c00

Download Submit
C:\Windows\system32\DRIVERS\eusbstub.sys

Filesize
41KB

MD5
874b6d8979802b45f765413c11668fea

SHA1
746b398773759bf97dfdd3437659df15b4b29fa2

SHA256
26e6d9fd4fda86ffc995f0f944101f890a86a6b23b546b8a069af6c230f82fe3

SHA512
64ff94f929b65489ae74627fcfe84311dc21c0fd2651fdb3e658db8651d4a8033a5f166e790b42d0e0550ad530a17a709f7c73e17fcd2c320e05476fd204b0fe

Download Submit
\??\c:\PROGRA~1\ELECTR~1\USBNET~1\drv\nt6x64\vuhub.sys

Filesize
159KB

MD5
9a8afb19060e40ec547753451897b60e

SHA1
8895f1c7037771b60f08331ec2575ea249131b08

SHA256
33f78c7a432d68501fe0844632c4d86d5316385fc3682b5bfbce52ac43b94407

SHA512
303f83adaee2ae3cc72c269f073ec34e90e7cd12bc0226a1736e563a86e0c78df5831e5cf1092947aba4fc0a8ac4d6989aac43d33b1b5d6bbb272895a8a05cd5

Download Submit
\Program Files\Electronic Team\USB Network Gate\appstatico64.dll

Filesize
874KB

MD5
80951a7cda153b71980e4a47c95b3f79

SHA1
5b1ff54ec99432bd989749f674dec5780232446a

SHA256
62b298c4516266e911042af367d7f5207ad61bc1317e03049449cdfad10f24d8

SHA512
54d5ee2ca3a4a53c4750d73e1a0c5a691d69ad62aad14f438516bccd42a3b1893fe1d29302313561706c8b3b64a1fd73dbb686c7a44765d724e58a43302dcdc5

Download Submit
\Program Files\Electronic Team\USB Network Gate\appstatico64.dll

Filesize
874KB

MD5
80951a7cda153b71980e4a47c95b3f79

SHA1
5b1ff54ec99432bd989749f674dec5780232446a

SHA256
62b298c4516266e911042af367d7f5207ad61bc1317e03049449cdfad10f24d8

SHA512
54d5ee2ca3a4a53c4750d73e1a0c5a691d69ad62aad14f438516bccd42a3b1893fe1d29302313561706c8b3b64a1fd73dbb686c7a44765d724e58a43302dcdc5

Download Submit
\Users\Admin\AppData\Local\Temp\is-T3VNE.tmp\reset.dll

Filesize
75KB

MD5
1fb1431779318f095681607eaccc1c04

SHA1
ce91517ab44d02a97fbc933894065de8d5a4ac4a

SHA256
ef4465a8765b207bab591cb1bd2bb0402ce60a1f99c5391b1beb65936bc6869c

SHA512
05ed6ebb2ddcb71bdff7a9321f62df91e2fb63af18ec78390b2a1299f34a7cd8c7a86b728f88bf8662c41b3719f2e009dd20dff837cb65898e373067054aa44c

Download Submit
memory/2896-121-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2896-416-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4648-213-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4648-392-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4648-134-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4648-133-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4648-126-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4648-415-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download