5a4be9e92cf84b6fdedef3623c4fc76a9a239e98f88c0c4368bbb72caafdda03

Analysis

max time kernel
108s
max time network
22s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Qcma_setup-0.4.1.exe
Size

60.5MB
MD5

7f924f1a8dc878abf31b1638fdad40b7
SHA1

4d69403b0d3d9a53d87a879bb247533bf408bf67
SHA256

5a4be9e92cf84b6fdedef3623c4fc76a9a239e98f88c0c4368bbb72caafdda03
SHA512

a5d66c2d340455cbe329726ab69153a816925608ec7ba5f67b816e8d0530f3df2cbe067edb3672d24630a2a94dda9d68e2a94421c39acf5079cd511c9cb8cb4f
SSDEEP

1572864:7VJTNxo+L/7xl6DgRPMg31jBP7qwv0hfe6i7IbnKs8I0:/TNFNYMj1jhqwife6kIml

Score

8^/10

discovery

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 5 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 03000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc602000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 03000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 0b000000010000000e0000006c0069006200770064006900000003000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 0f000000010000001400000086443813598c8f37ef36785fd8ba56af7cf283e303000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc60b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	DrvInst.exe

Executes dropped EXE 5 IoCs

pid	Process
2276	QcmaDriver_winusb.exe
552	dpscat.exe
768	dpinst64.exe
1276	Process not Found
2848	qcma.exe

Loads dropped DLL 46 IoCs

pid	Process
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
3020	Qcma_setup-0.4.1.exe
2276	QcmaDriver_winusb.exe
2276	QcmaDriver_winusb.exe
3020	Qcma_setup-0.4.1.exe
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe
2848	qcma.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\libusbK.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\WinUSBCoInstaller2.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ps_vita_type_b_winusb.inf_amd64_neutral_79e169d980e30cba\ps_vita_type_b_winusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\x86	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\PS_Vita_Type_B_winusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\SET51B9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\SET51B9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinst64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\x86\libusbK_x86.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\SET51B8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\SET51DA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ps_vita_type_b_winusb.inf_amd64_neutral_79e169d980e30cba\ps_vita_type_b_winusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\ps_vita_type_b_winusb.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\SET5258.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\x86\SET52E6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\SET51B8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\SET5258.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\SET51DA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\SET51EA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\amd64\SET51EA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ac84f26-e2c6-54ae-c8ea-787563d11204}\x86\SET52E6.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Qcma\libfreetype-6.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_zh_CN.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_ja.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_uk.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\liblzma-5.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_fr.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\driver\QcmaDriver_libusbk.exe	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\avformat-57.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libicuuc57.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libstdc++-6.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\Qt5Network.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_pt.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\driver\QcmaDriver_winusb.exe	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_ar.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_en.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_de.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_ko.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\Qt5Gui.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libbz2-1.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\imageformats\qjpeg.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_fi.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libharfbuzz-0.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libicudt57.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libsqlite3-0.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libvitamtp-5.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_da.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_ru.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_hu.qm	Qcma_setup-0.4.1.exe
File created	C:\PROGRA~1\DIFX\4A7292F75FEBBD3C\dpinst64.exe	dpinst64.exe
File created	C:\Program Files\Qcma\libgraphite2.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libicuin57.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libjpeg-8.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_ko.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libpcre16-0.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libpng16-16.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_lt.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_sv.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\sqldrivers\qsqlite.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_cs.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libgcc_s_seh-1.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libusb-1.0.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\swresample-2.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\imageformats\qgif.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_fa.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_it.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\Qt5Widgets.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\swscale-4.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_es.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_en.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_pl.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_gl.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_fr.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_gl.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_zh_TW.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libwinpthread-1.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_sk.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_de.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_help_pl.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_ru.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_zh_TW.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libpcre-1.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\libtiff-5.dll	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_ca.qm	Qcma_setup-0.4.1.exe
File created	C:\Program Files\Qcma\translations\qt_da.qm	Qcma_setup-0.4.1.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a41b-191.dat	nsis_installer_1
behavioral1/files/0x000500000001a41b-191.dat	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 03000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc602000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 03000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc602000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 03000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 03000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 0b000000010000000e0000006c0069006200770064006900000003000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6	dpscat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 0f000000010000001400000086443813598c8f37ef36785fd8ba56af7cf283e30b000000010000000e0000006c0069006200770064006900000002000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e0065007200000000000000000003000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19F6D9F7B3D05286FACFD079BCFBBED8387B2BC6\Blob = 0b000000010000000e0000006c0069006200770064006900000003000000010000001400000019f6d9f7b3d05286facfd079bcfbbed8387b2bc62000000001000000cc020000308202c830820231a003020102021049792eb17e73f89f405865b085e5ec27300d06092a864886f70d010105050030633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d301e170d3234303232323131353132355a170d3239303130313030303030305a30633161305f06035504031e58004d006900630072006f0073006f006600740020002800500053005f0056006900740061005f0054007900700065005f0042005f00770069006e007500730062002e0069006e006600290020005b00530065006c0066005d30819f300d06092a864886f70d010101050003818d0030818902818100b949dcd00e0b2da2c7fe075c482f3d93b85b1c7999e4fae5d7c3fc2aa9c3f41247a40b0e05ae5a4d9da979f88b7487d6d4d02be63a403ae624773929b201e8afc82951ec692164282c0088225143f6ff7b6f7af7f7662e87db34ff58e2a4fc593dd0a85d26730ce5c74fad77d9e5a07cec9173362e1f1807eb08c00a45d858c90203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181008e478563ff9829561f421c8d07f778cac01dc72c17d05351e2da5ccda9366488a249d7221ef84e0280dcf15e59f969945ec6c6f9d2048ee2f03e329893a0377c0288f6b735c9ec7f5b5fce96da5aef6612db35750e95e5b90e095127e3085488858a137fe9fb787c0c1551d0a65928dedddfc547f3e751d9d1a6b2c8113014b4	dpscat.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	552	dpscat.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	768	dpinst64.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe
Token: SeBackupPrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2024	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 3020 wrote to memory of 2276	3020	Qcma_setup-0.4.1.exe	30
PID 2276 wrote to memory of 552	2276	QcmaDriver_winusb.exe	31
PID 2276 wrote to memory of 552	2276	QcmaDriver_winusb.exe	31
PID 2276 wrote to memory of 552	2276	QcmaDriver_winusb.exe	31
PID 2276 wrote to memory of 552	2276	QcmaDriver_winusb.exe	31
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32
PID 2276 wrote to memory of 768	2276	QcmaDriver_winusb.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Qcma_setup-0.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\Qcma_setup-0.4.1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files\Qcma\driver\QcmaDriver_winusb.exe
  "C:\Program Files\Qcma\driver\QcmaDriver_winusb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpscat.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpscat.exe"
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:768

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7b759592-f3e8-6a64-4d3a-ba36af446355}\ps_vita_type_b_winusb.inf" "9" "64117ac4f" "00000000000004A0" "WinSta0\Default" "0000000000000554" "208" "c:\users\admin\appdata\local\temp\7zipsfx_000"
1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "00000000000005CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Program Files\Qcma\qcma.exe
"C:\Program Files\Qcma\qcma.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Qcma\Qt5Core.dll

Filesize
2.2MB

MD5
02b24284d10ae4b9c56d517074b5c0c1

SHA1
6d986198bc6f056b2e6a73e3b2d8149311519cfa

SHA256
b01225496746544a43b1d7817fa5d286bcbd98707c6329147d2b26ca5f122906

SHA512
561420b0cdbf71b6dd7f83d9444f794ee49086b8564b86dcf61c5e4e16763c0b5882cae10c2c2faf59446ea3e9f7f62569b277f299013744941059e1985518ff

Download Submit
C:\Program Files\Qcma\avcodec-57.dll

Filesize
2.6MB

MD5
659f6dee58e82d04bbe6ad106a32ea37

SHA1
677f74663ada2eb19ea59309567077e0ed0ec56f

SHA256
39310734e383bc5521fc08b5114e02a58cc4378d85b9e411b806084f686a4231

SHA512
b6093a1d1324c1b59d694b2a7cff24ff5beaf53048f3b415f61d33d8c7af71d4d9656e2b547a6e1cf3de7e97378e659eb9562e7e26ba01e86eec401d0b56f39f

Download Submit
C:\Program Files\Qcma\avformat-57.dll

Filesize
2.3MB

MD5
d3e1a79da548caaf169089b6df782b07

SHA1
42f719f70a9e5f9e45ef38cba80096754102c953

SHA256
dde27bffcce2fa4bd844daef799047b1005207d29b5f897bf7ad09633d9ef23e

SHA512
9333dfa1abb9ea5fc95558345330033333343154f5f8bce1d37c5362791d30e8e84b473b9ee0d23fc01facd5d93eb3de1cfff78d5fa2732f7edc534f5a406504

Download Submit
C:\Program Files\Qcma\driver\QcmaDriver_winusb.exe

Filesize
2.6MB

MD5
ab18654edf382fffc32410564f6cc664

SHA1
7be8f1150147df168c208580f7c0e8970a03205c

SHA256
2ccc7b4c95c172c15f3e464765981721620440195c3ea5d894c2b60df3176bab

SHA512
66bc500837197a41e6259cbd59c3c7cd4415cd36eeb6c82bb8805e7ac9e4cb986a0354455e61903cec44c9259120ab471981b8e63807cb805d70d6cafb44a68f

Download Submit
C:\Program Files\Qcma\driver\QcmaDriver_winusb.exe

Filesize
2.2MB

MD5
cf8ba1e59c8cd87299ffa6c21a33a60c

SHA1
c3c5ab7aa3178d68250de8320d55dc7bcc7c3a93

SHA256
506a6a6f4aedb4d2b978ca9cb5326404bc1004194d6985dd1a9ab5e7708002ec

SHA512
4ddee99c344a6aefb48fd79e2be83f6584e2fcf625eef06d7f72228e03f19a2950d618b04ddb17ae14b80582e8e296de4841034378a16d4b30f6254365c23867

Download Submit
C:\Program Files\Qcma\driver\QcmaDriver_winusb.exe

Filesize
344KB

MD5
d638f0e3b6fb4d296698a76b3796573f

SHA1
ed26de28fcd20c9def59e0e979c1d59e6fca4cfc

SHA256
6326bc5847b378d02ab26e3fd37cbcc72e7bc5079aed6c6f84e788c8856056a8

SHA512
7d98ca97de1c198e79b99d5bf94148279aff960784ab6f84d27c2d66c59a0316a3395887afcaa0464a3e42f42366d6b618dd468005761cfe615674f3a0e646a2

Download Submit
C:\Program Files\Qcma\libicudt57.dll

Filesize
1.9MB

MD5
c5aa2d5f8787cf8daea4eb5180ef9782

SHA1
e7b20e51be63506ca1e1aa1234f44fb0cefe5ef7

SHA256
8822c3da057bf246cb9bc480393da80139130e0ed82a83e8baf7db9e25d075df

SHA512
f0b00707fa6f3163bd74d476a4f59b9236a2230170a814e76b0aae29a37dd032b7d3ad5455b4fab3c5036a2977e69d5866e9db4f8c0a7f7f88f44a892136a774

Download Submit
C:\Program Files\Qcma\libicuin57.dll

Filesize
2.1MB

MD5
95d28534b02bdaebe77a0c3ba3963b44

SHA1
69f48986c5d4137297d8f2098824f752562afd1a

SHA256
c8d30dd5ce031f8145705e9d4b010d16f9e9db8d93bb62b83e652ca478b7eb50

SHA512
e4d68d047f03ad3c10c9f1282a24f0adef0824f245979d8bc5e08f0bfa8267a47b817f20175a949992d0524657ad05fcdfbfdcdacd1ecb3de1b793d98e3d9b65

Download Submit
C:\Program Files\Qcma\libpcre16-0.dll

Filesize
249KB

MD5
7e0fd40696cad17d9cc4704610e777dd

SHA1
2e3942efba409f6d07a75f105bf2c8e410103a2b

SHA256
ad44128ab1bdb4bb5e87114f42d5e6db02ad1bfb5adb931690c36140746aa30f

SHA512
aecab48ddcb6039294492e3f239cec446af99b2efff949d240c398a47da96ebf4f0e49a207744635595ccc0e36e383bb3d5f9762146632967d93df264be8d3b9

Download Submit
C:\Program Files\Qcma\libstdc++-6.dll

Filesize
512KB

MD5
4b7f87a94c4ea24c38b36e23192f1b89

SHA1
82f9b734c94900db04d234bfa15a53c34079a557

SHA256
b2df85e6e0cca9b5d48a85941bac9d1c717a8bdf65b471b3888dc9b11e77b265

SHA512
c02170849ca3402167502cb58185623209f24263074fa5da09b38bcce020dbd036a199905fc6adebf9732671a7d5a93a5922b43a31f1cbed3757ba83cf0bcfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\PS_Vita_Type_B_winusb.inf

Filesize
8KB

MD5
cb662dec2df9a26a27ed273f6c783018

SHA1
a0ec80b5719d4da4cf40c9219d7cb9ccad6dba40

SHA256
9686c3279c36961f17005c49158dd67980ad67ffd2e074f2cf45dbb134c27d04

SHA512
59887a22b4ad7cb79960102d6f704c98b70136bc130c67d960578cbb4098da9f56427091b618a24a5168742beeb5ceb92b24da5a98b2a337f50afb73e2a4b87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\amd64\libusbk.dll

Filesize
96KB

MD5
7abe7f583d5d52de4a9727f94419cc4b

SHA1
fa8489441ac82d22567b5c3d5b494576df54f37d

SHA256
592cd24bae321f1cb6cbe2f6e1bc5c05e279328e1c86814eb64ea1e89fdea188

SHA512
ec7c734dd954b7ffd5eb320c41a7dd7f481a632c8314028b020986e6310fb5eb25b7b274b6df1b442a9204d449f70d848032a7514776254ebee978753fedf3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\amd64\wdfcoinstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\amd64\winusbcoinstaller2.dll

Filesize
979KB

MD5
246900ce6474718730ecd4f873234cf5

SHA1
0c84b56c82e4624824154d27926ded1c45f4b331

SHA256
981a17effddbc20377512ddaec9f22c2b7067e17a3e2a8ccf82bb7bb7b2420b6

SHA512
6a9e305bfbfb57d8f8fd16edabef9291a8a97e4b9c2ae90622f6c056e518a0a731fbb3e33a2591d87c8e4293d0f983ec515e6a241792962257b82401a8811d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst.xml

Filesize
661B

MD5
83f46ef4f06d32f8b3201a2ea2189e19

SHA1
d1aca0fd1646bf0abf5ffb42b0ca27345c7155ae

SHA256
127b6d24415b513c1f3b5ffe63af1b395dbf868dafec44c4cbb367d81db9ae0c

SHA512
7b48181bc0d183416294c6277ce4205355868cc7be705dfb24d0baf70865173fde578222f6e1c8ffd9bea4ef58d6f4375b7e3eac9236f64bd7ae0fc0c55a84a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\x86\libusbk_x86.dll

Filesize
82KB

MD5
22e9219bc86bb8d3fb6209acdbf76739

SHA1
fc2350e45b0c7bdac7ac35f42b65f5fdfd622464

SHA256
22803c719494f193d22519bfaff9484fecdcf1fadd6f082efd024fcee0b97ba4

SHA512
411b5440ce5321e07a1e0ca3cae8699132792a5deeb348a0ed1078b9f43f4628568cb338621eeb879416e33e4c7e4f8db7387b5e244e1e1e57712d4aa1ef4bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5006.tmp\ioSpecial.ini

Filesize
659B

MD5
24ac2f0e6aaf0b0b01c549204054f0cf

SHA1
cb9726a7ff209ab27a265c8c7fd166380be9e3b0

SHA256
e161412db24c96c5177679332062254ab3f1c034cf46c4aab862e3ab30d2ec1f

SHA512
355a7ec8cb879c8437b62b5a4028e17d711542c94c59b45e12219a73fe0671c42d3e3ac814f31c13937faa2f6d924aa7fb78f0cc4be2b145dcde94276a98b137

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5006.tmp\ioSpecial.ini

Filesize
659B

MD5
89bbb53c057ddb4c198664f85c00dbcd

SHA1
843bcef262a5ad7531c583981c26651141ce3a5d

SHA256
42e3b700d78310adea876ef56c5eec54d467b07e0a5aaea703bfea9ba9e33ff5

SHA512
19d66370d027457898efce83df32d152a618bb0ee0fe2e0a9403568b23b7e6a1fc0efcd49f9d524a5e45e8032fc2490d1a266a731832519d2ed486149306609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5006.tmp\ioSpecial.ini

Filesize
701B

MD5
ecae4b4af7465aa2593721a4414aaf39

SHA1
7ed659dec99d9e9d47e986c05f66c855e15762cd

SHA256
43517f4527dd56a7c86c44e2a3f84ef248fbeaac0fc31f1f9eb9dc563c5e0d49

SHA512
919686b036c32516935df55321ebad0e92d45cbbb39891d26ff9e5bfe57cb13a5a815d80565c53a89b0edc6b8e1e26e6a3ab9798b78828c121323081af8759bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5006.tmp\ioSpecial.ini

Filesize
727B

MD5
640c4af96087ba9c661d961faf978e7b

SHA1
683779cf57159cf3483a0c949ac1e59c9bca6fdb

SHA256
096310c4641d837cfe4526649d3f0a8120c7557f2b7ffc7cfc960f25c171dbe5

SHA512
c9f9e0e8c6653c5692557acf948f91d7d6abcf4471a8f8f748ef8e0db0cc2b738be3a8dcb672bb698fcf74f5c78cb6af72034e7220d2574b0a8b4a74db8e6c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5006.tmp\ioSpecial.ini

Filesize
745B

MD5
14553ecac166c82083803e1ece8449ad

SHA1
6609f1bced71316a9f5994f80b21c48d5ab0be05

SHA256
2b2d52787311e9d30ad6bf9adf6fdb3b37cda2718ad25985a9c1425011254683

SHA512
8b299574d5e6dcea1c75784d432d706c55e2d4e27bfcf4328e49fe7220eb4b91770d583bd2aa63b8d31347a8ccab29a26a2519a64d13ff25567c297c13767b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5006.tmp\ioSpecial.ini

Filesize
672B

MD5
834bc2dcf1c76b37ee39b9f2fee00784

SHA1
5fe7a39816e396b0a54bad47775e5a3f8d460a61

SHA256
eebd688d5347edb1eb7d82dbcd550183dab08e81be256f53766f76a350e933b1

SHA512
c82c41fab12c997e9e6917e9e3dee4bc9d469fca5eaa3d6d385e9be598cb7d0945b1ed18aecbd702a220ea3db89a7db2200e3a1b2f28fce4f93291436894b5a0

Download Submit
C:\Windows\System32\DriverStore\FileRepository\ps_vita_type_b_winusb.inf_amd64_neutral_79e169d980e30cba\ps_vita_type_b_winusb.PNF

Filesize
10KB

MD5
daa8d5477399b10975d96c5e4f4c9cfc

SHA1
93668f7fbd1917548b02cabc4a05a10f64063350

SHA256
634cc9a2f596fad2dae51fd322ea4a6d541a0466d575c441bffd3c244787cb36

SHA512
f08bdb6a9e1545d5a526cb130268b0fe084b063e168ea3b78ee09e6176c17474ac4591b6120acf31912d3e0ee4b576769def2d0c5b2b8a71629b9c8d9e623544

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx_000\PS_Vita_Type_B_winusb.cat

Filesize
3KB

MD5
b8dd4610fd53f93fec55b79ac47f1921

SHA1
6d86496517555dffc961907959db8bc06a79bb1c

SHA256
472c994dcbc0cafaabb9547207163c7b1a5ca464d7db7809109382efe9234e4a

SHA512
f1dc086dcef4df206de92e0ce6757cd267229be3ff8e45574c5d2e398f5bc36e00e4b9260b8ffea3a34aeb69fbb3cda2e9b4188d48198e3bd54d7ec680a71a10

Download Submit
\Program Files\Qcma\Qt5Core.dll

Filesize
2.1MB

MD5
1925fabccea0483d2f5e1236c59a58cd

SHA1
93534a88e4a50c2c8951d2a719c4e3f2c73af17a

SHA256
60c0866ffa761bd6501720ccac40b205410b81c60afee291d0c733e9eaaa432b

SHA512
b8af809846101c9b44efe064c6f9707bd8f96bf939ce5014b9bfbbb64ccc294cb4efe1f02b20d6b9a2d8cfe10bd5addb4404e89e6909035c78e37013e611d8f0

Download Submit
\Program Files\Qcma\avcodec-57.dll

Filesize
2.6MB

MD5
03afb015ab2f152ccb87cd905376d6ba

SHA1
c46fdb5ba1f6c119e6a088d6fc2302968ae7c5b0

SHA256
7759812e9abb2dd57a89909624228e8844d06afd4a592bcc7cd8da88f0f73db3

SHA512
2cab1c3fd70eac2585d2fa60237fc17b3417c46c533d757ee2c8a8ec4675ae3040985655f4a648e04293c34e807a59a0c0d49255144f82ff55d27508a012b648

Download Submit
\Program Files\Qcma\avformat-57.dll

Filesize
2.2MB

MD5
c222ac3ee4094710757a6924849c4de0

SHA1
9459830bb2ae52f49579d7952731a1ee98fc5b9f

SHA256
8051938e81b9f2cce4eb9912d54ed55f82602e5d536bf5b7e1c7b67260bbbf72

SHA512
b510c1bdca1f003fffac57ed9f52a098f5b3e4d8267e0d17b142a9174f68c987528d1fa8fa00cf0d292d6f2a665d90774fd27eea7c2285b6e2ace84ae33caff9

Download Submit
\Program Files\Qcma\avutil-55.dll

Filesize
531KB

MD5
629e49fb643ba264a2211c716a985463

SHA1
31f5e82b04042514026dd3fdee5658733530c34e

SHA256
25c3d4dcfeed081dc8622f6822864b48ee52d8cec606da654dfc14ad569fb289

SHA512
9b486b3e39f86654e8688a13e114613ca5d2c1c0c1d04f2d765c082a444140f6afbe5beeb1f91c28a5b721eb2a4900580e893e16fd74c04c2d589a831bdf3a6a

Download Submit
\Program Files\Qcma\driver\QcmaDriver_winusb.exe

Filesize
2.6MB

MD5
6e6c0b33cc85c21f52dbec034d7545b6

SHA1
4fc1627b50cfbe6dd7cd80c7bc3829d4ea84cfaf

SHA256
b004a9de7c967c728ac1fb0ea6761b41b58e0d1b8b08f4a42c369bcf7b7e3960

SHA512
4a4ca0d71dd7c688169d2480740204e88ff85d73518f0a17237b790c444c418c834067deb5e517183c768b54b313b222ff0f69e342582e3ecbcbaea98d3ef47d

Download Submit
\Program Files\Qcma\libgcc_s_seh-1.dll

Filesize
81KB

MD5
af57bd17b084ae00f6130b8641de5a36

SHA1
8067a62628b670797af574f0cc606262639dd28d

SHA256
a6e9cc809dff67f3e19fa619d6c8ed12fee915e1d8f6da3524b0a5e2c47debdb

SHA512
4d68ee171a1202c056e1ea7b0bd1c262f7dd57645eebde75bf96112e6c5074a90b7b43fb02dae1adb8ece639f9c6061e30787f4707e6e69be2650229f5e4b3e7

Download Submit
\Program Files\Qcma\libicudt57.dll

Filesize
1.8MB

MD5
123a25dfe30aa420ba1784c8ebf5d38d

SHA1
83623796b40967390d3e41b31add9b538b00b3d6

SHA256
feb3a7f22cfe243b5d1616f7ffd5d0d218f7b38e59aeab788038ed0cac74153a

SHA512
33d1bdf69bfad809c3b41152dcce8ec6d3a65c68a50755ddbd925308f847cca9530095ed5be62f4020d8256613e38668c7a2035a5694dc72c639a23c89d852ac

Download Submit
\Program Files\Qcma\libicuin57.dll

Filesize
2.0MB

MD5
69f453d492716de74b3f57f4383b797d

SHA1
6b4d28e359a0756124fb4b8dd203959e92ebea59

SHA256
48bdaf70f23baf0fadc83b085b13c7e6eea8e88d97bfa2c17dcfc1e2ff30e194

SHA512
5c83e37d01c64068c448656ffae5853a80af07eb4d8899f985fe5fb254f2454eca85d622acdfb0aeaeab3aa0c3bb6453570fed5f869b30b8f300c933d5e32996

Download Submit
\Program Files\Qcma\libicuuc57.dll

Filesize
1.4MB

MD5
155ddbb21c2e3d423df6a18a92b7a175

SHA1
7f8ccd32f628fe0b0470d5115e7288e1f7eacd1a

SHA256
c78e82e58b23e45d2697088fe7e0d1a7a5dd7c53301338e15d35366fcb2f54d5

SHA512
456bd3824df1407d5a630d276387638c5a8f259f2a8019425fef28dd5c261fea31ad7442479f3b4cb4c5d4cd6c0c58cbd235e144e90f61e118095dc617e80749

Download Submit
\Program Files\Qcma\libpcre16-0.dll

Filesize
64KB

MD5
d381caae6c55d1a16909a62549c6b140

SHA1
d8f7d08bed674a30098b598c4be88167e913f956

SHA256
3234207a528912e17f967b9cdae97bda95eddf0db561a5fa7fd7edd810cb9fa7

SHA512
e717a941bc6177038acb316e9545f17347099f2acb79d7ed6939d56180d0ef601fe17aee0a90fc4edb6c5294901c2d4f5175da724fd9108b1b2f5782aa1078e1

Download Submit
\Program Files\Qcma\libstdc++-6.dll

Filesize
1.4MB

MD5
af09a45447c3bf1bfd7c650cd8b060c7

SHA1
fdd629858a8a2f035f81293df40ed151409be6e6

SHA256
821e40488ee797e29d173e42d5bec669203fd9676a687acf3d0a21a7a1446b28

SHA512
4642c9bd42c619cfcfea98d2f25824d9ac8d6f0ef7e535795405a19268ded13b0e2a1ade49078d79292423ecfbe9d4d6378e55ebfdd83f9dfafd99023693c0cb

Download Submit
\Program Files\Qcma\libwinpthread-1.dll

Filesize
55KB

MD5
4360d6f850cfea0c828bc16968cb35ee

SHA1
5b8d9de1b3cb32d6022ff00f4af8cac6ab09cbb5

SHA256
5aa330e337e5416deceef5958eb9c235391c5f3ad46170df43066ff24c9c2a4f

SHA512
cfe31c399fc131109b9a0bd6d851c6a698e96ac76be8134e11b151409597f4f3bb8deddd08780b29925e8f7976831c753be8b6480716f63578be67c2e22cbf37

Download Submit
\Program Files\Qcma\qcma.exe

Filesize
499KB

MD5
38668f5a9f9f5025abf42e47fde9b86e

SHA1
b28cb3eee4deed270c71645b85e11157356a23ca

SHA256
d934e143cf66a177c40b0a02721f21315af4bc4e7d47fe9fed13503a96432adb

SHA512
5af3853b095a65a065e923520e0c4c3a1860f6f45516106d345ede94d9e490bd09f2fe6231c1756a6429b7e6a0121be15fbf69166c36f29f760bfea9a236afcb

Download Submit
\Program Files\Qcma\swresample-2.dll

Filesize
332KB

MD5
9a6e8a57beb33f66bd971f2b288160ba

SHA1
6eec6b37da5782d4263c4c18c49f218a0094c351

SHA256
a1362da6c19417b35e9d052e73c5e4d86809f4d08fe5193adfeec783b76a3df7

SHA512
fb4895dad1c20f0313f4e77ccb205ffb5b8dec7e459404bdb48444d6404de44ea113360e29c4c7ff07161ad2f18db9d08647b5a2a387ef774bb392853f561d35

Download Submit
\Program Files\Qcma\uninstall.exe

Filesize
86KB

MD5
9b999dc3c9dc0f852625c9c34ef520a1

SHA1
a547d8bf16661d38f9b0149797f74e6c7f12f305

SHA256
f89e5f6af3d5793af2ddc908291c1851445ed4219eb90848741a4e463732a74a

SHA512
893384eac0e96dea6b4b8d554c73b3852bc0a46ec090c4812e95defdad34dcac13983bead2545bce9408eef6e9c23c291e17fa758d9687d32ecacc33c93df56c

Download Submit
\Program Files\Qcma\zlib1.dll

Filesize
64KB

MD5
3086300c8d00623d8e8176599d1ac0d1

SHA1
14ad62ef99235bb0dccdb2ac7224a5b62fa7e539

SHA256
db15dc5ca7c881907b34e68b4081f4111f34a6711e6fb93d98d793dd1ba701a0

SHA512
3b9c55354f0cc7a51268491d5bef1abd8692025846e83a46bd6e07f6a68dc3a46667d9ef02d05c97de9886f9076fd91253e3ba5d92c71b7a357a6a671c9df877

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe

Filesize
1.0MB

MD5
be3c79033fa8302002d9d3a6752f2263

SHA1
a01147731f2e500282eca5ece149bcc5423b59d6

SHA256
181bf85d3b5900ff8abed34bc415afc37fc322d9d7702e14d144f96a908f5cab

SHA512
77097f220cc6d22112b314d3e42b6eedb9ccd72beb655b34656326c2c63fb9209977ddac20e9c53c4ec7ccc8ea6910f400f050f4b0cb98c9f42f89617965aaea

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpscat.exe

Filesize
36KB

MD5
eb7409d7cd6e8d8edec5e3209385f88a

SHA1
31555fc8fca9ee669a82dafe4b5876900877a61d

SHA256
7a40e13568d9a4e33fb7ed34dc0abd21a9c097beae9c0e4ade3b99f05a0f60d9

SHA512
4038ad98ac4550daad41011de597c54a57f923b624c9088f52ebbbbc5822466959e08d00d9276a35c78133807b22613a52811a7517629a16e93a52a041b44f4f

Download Submit
\Users\Admin\AppData\Local\Temp\nso5006.tmp\InstallOptions.dll

Filesize
14KB

MD5
2e35876a2b9842d48eed3817809a78eb

SHA1
3e1a36b9758d9e0dabeba65895f4a091f801583e

SHA256
c36d864cd5464add57008985fa901ef4ba32d9831465732b1aa06078a42608d2

SHA512
1776cb43ea9773bf564876e7ba23b05b37b88457f7085622f5d57ebda9886352da5eefba4ab7d44ae16a8a0a0007e1b9fe8b4d22ef0c402e127467070dae0eb9

Download Submit
\Users\Admin\AppData\Local\Temp\nso5006.tmp\LangDLL.dll

Filesize
5KB

MD5
7af1e33d85459fbd2cf7ef29d7528e9e

SHA1
8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

SHA256
958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

SHA512
1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

Download Submit
\Users\Admin\AppData\Local\Temp\nso5006.tmp\StartMenu.dll

Filesize
7KB

MD5
abba50aeb1da3cd1ad1e79a89701b02e

SHA1
bff5bcc8cb0667934b6c743b3f64f6a594f06826

SHA256
7a4268edf9d327766f22d4126f8dd070db611836f5336af1a864a1f8cfa7939b

SHA512
b730cd5fdca693331e8789318aa5536950bfbd691ec4047eca8dce9f8a4b0f960210261a44fb502839c20f02a20c1027aca23c7e32b84f79c2cca3ba5a3ab13c

Download Submit
\Users\Admin\AppData\Local\Temp\nso5006.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
\Users\Admin\AppData\Local\Temp\nso5006.tmp\UserInfo.dll

Filesize
4KB

MD5
5313bec6ccd0ce90e798a800abbec57c

SHA1
bdb901fefadddabb71c4eb8841bff9289b09fdf9

SHA256
eae1525ec6a3bcf9e659ffc82112bdeeabb8f0d35e445c9586b08460447b014e

SHA512
915242185d2231e2f5aa2c92d19e10f2377b81339e8aecf2e6a108db18b9e2c35dca743f4904c6f3cad35bbc026e195ab77e62b0241d448af3f8ab6a944996d5

Download Submit
memory/2848-534-0x000000006FC40000-0x000000006FDA8000-memory.dmp

Filesize
1.4MB

Download
memory/2848-547-0x00000000693C0000-0x0000000069464000-memory.dmp

Filesize
656KB

Download
memory/2848-531-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2848-532-0x0000000061440000-0x000000006145C000-memory.dmp

Filesize
112KB

Download
memory/2848-533-0x0000000064940000-0x0000000064955000-memory.dmp

Filesize
84KB

Download
memory/2848-529-0x0000000000500000-0x0000000000960000-memory.dmp

Filesize
4.4MB

Download
memory/2848-535-0x000007FEF3D10000-0x000007FEF60BD000-memory.dmp

Filesize
35.7MB

Download
memory/2848-536-0x000007FEF3C60000-0x000007FEF3D02000-memory.dmp

Filesize
648KB

Download
memory/2848-537-0x000007FEF3BC0000-0x000007FEF3C51000-memory.dmp

Filesize
580KB

Download
memory/2848-538-0x000007FEF3610000-0x000007FEF3BBF000-memory.dmp

Filesize
5.7MB

Download
memory/2848-539-0x0000000066740000-0x0000000066B71000-memory.dmp

Filesize
4.2MB

Download
memory/2848-541-0x0000000069C40000-0x0000000069DB3000-memory.dmp

Filesize
1.4MB

Download
memory/2848-540-0x0000000061C80000-0x0000000061EA1000-memory.dmp

Filesize
2.1MB

Download
memory/2848-543-0x000000006B640000-0x000000006B686000-memory.dmp

Filesize
280KB

Download
memory/2848-544-0x0000000062E80000-0x0000000062E9D000-memory.dmp

Filesize
116KB

Download
memory/2848-545-0x0000000000500000-0x0000000000960000-memory.dmp

Filesize
4.4MB

Download
memory/2848-546-0x0000000061600000-0x0000000061686000-memory.dmp

Filesize
536KB

Download
memory/2848-530-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/2848-548-0x00000000626C0000-0x00000000626DA000-memory.dmp

Filesize
104KB

Download
memory/2848-550-0x0000000000960000-0x0000000000A76000-memory.dmp

Filesize
1.1MB

Download
memory/2848-551-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/2848-552-0x0000000066000000-0x0000000066109000-memory.dmp

Filesize
1.0MB

Download
memory/2848-553-0x0000000069140000-0x000000006918B000-memory.dmp

Filesize
300KB

Download
memory/2848-554-0x0000000070540000-0x000000007057E000-memory.dmp

Filesize
248KB

Download
memory/2848-549-0x0000000068B40000-0x0000000068B7F000-memory.dmp

Filesize
252KB

Download
memory/2848-555-0x000000006D200000-0x000000006D36C000-memory.dmp

Filesize
1.4MB

Download
memory/2848-556-0x000000006F000000-0x000000006F046000-memory.dmp

Filesize
280KB

Download
memory/2848-542-0x0000000066F00000-0x0000000068788000-memory.dmp

Filesize
24.5MB

Download
memory/2848-557-0x0000000000A80000-0x0000000001001000-memory.dmp

Filesize
5.5MB

Download
memory/2848-559-0x0000000001010000-0x0000000001053000-memory.dmp

Filesize
268KB

Download
memory/2848-560-0x000000006B600000-0x000000006B640000-memory.dmp

Filesize
256KB

Download
memory/2848-558-0x000007FEF3350000-0x000007FEF33E3000-memory.dmp

Filesize
588KB

Download
memory/2848-562-0x0000000063CC0000-0x0000000063CEC000-memory.dmp

Filesize
176KB

Download
memory/2848-561-0x0000000070F40000-0x000000007108A000-memory.dmp

Filesize
1.3MB

Download