2f0a2fae5dd7a296a92a58906a100b66575912d90254770e4bfb8923623ec26a

Analysis

max time kernel
147s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IriunWebcam-2.8.4.exe
Size

3.9MB
MD5

2743f081c2a4369f0a50fca6ac035d13
SHA1

8a4968da973dead25a678404bf2e6772b09381f5
SHA256

2f0a2fae5dd7a296a92a58906a100b66575912d90254770e4bfb8923623ec26a
SHA512

e48ad69fdb83efdc0d8a79aaacc783fcf1be305a8d8628e8888114a275fa8333cc92539045b63878bf9da63300feabce0d5d87b0668fb3e07d893902cb638c19
SSDEEP

98304:NkLPf34mxE/CO7+wFws3ZWaPPkRqM48wAPdv0e4gWoJ0Rh:+PfImLqisY0SRv0e4gHJmh

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SET2C1C.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET2C1C.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\iriuna0.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Executes dropped EXE 22 IoCs

pid	Process
4992	IriunWebcam-2.8.4.tmp
4912	netcorecheck.exe
3940	dotnet60desktop.exe
1432	dotnet60desktop.exe
4416	windowsdesktop-runtime-6.0.14-win-x86.exe
392	devcon.exe
3280	devcon.exe
3796	devcon.exe
2220	devcon.exe
5052	devcon.exe
1928	devcon.exe
3052	devcon.exe
840	devcon.exe
4964	devcon.exe
3316	devcon.exe
3048	devcon.exe
796	IriunWebcam.exe
4352	adb.exe
3444	adb.exe
3168	adb.exe
1944	adb.exe
2576	adb.exe

Loads dropped DLL 64 IoCs

pid	Process
1432	dotnet60desktop.exe
1696	MsiExec.exe
3028	MsiExec.exe
4464	MsiExec.exe
2352	MsiExec.exe
3408	regsvr32.exe
3376	regsvr32.exe
2196	regsvr32.exe
4464	WUDFHost.exe
3940	svchost.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe
796	IriunWebcam.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{596419B9-519E-495A-9DB9-48E9648A5A56}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{596419B9-519E-495A-9DB9-48E9648A5A56}\InprocServer32\ = "%SystemRoot%\\System32\\DriverStore\\FileRepository\\iriunv0.inf_amd64_2d7dba8e9bda8fdd\\Iriunv.dll"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{596419B9-519E-495A-9DB9-48E9648A5A56}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c31ad3df-16b7-41b3-81fa-7658cb450781} = "\"C:\\ProgramData\\Package Cache\\{c31ad3df-16b7-41b3-81fa-7658cb450781}\\windowsdesktop-runtime-6.0.14-win-x86.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.14-win-x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriuna1.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriuna3.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriunaud.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunv0.inf_amd64_2d7dba8e9bda8fdd\Iriunv.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\iriuna1.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriuna0.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D54.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D67.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\Iriunv0Driver.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iriunv0.inf_amd64_2d7dba8e9bda8fdd\iriunv0.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29EE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\iriunaud.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriunaud.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D54.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunv0.inf_amd64_2d7dba8e9bda8fdd\iriunv0.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriuna2.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D65.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunv0.inf_amd64_2d7dba8e9bda8fdd\Iriunv0Driver.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunv0.inf_amd64_2d7dba8e9bda8fdd\Iriunv0.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\iriuna0.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29ED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\iriunaud.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D67.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D66.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\iriuna2.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\Iriunv0.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29EE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iriunaud.inf_amd64_fb925fb3215729d7\iriunaud.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29DD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\iriuna3.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f0d650cd-e9b2-b148-acd7-dff6cc900ced}\SET29ED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\Iriunv.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D65.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\SET2D66.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{98fb20e6-c49d-5e4c-bc20-75a9d0a37baa}\iriunv0.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.AppContext.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Text.Encodings.Web.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Text.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\Microsoft.WindowsDesktop.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\pl\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\System.Diagnostics.PerformanceCounter.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\es\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\es\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ja\PresentationFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Iriun Webcam\devcon.exe	IriunWebcam-2.8.4.tmp
File created	C:\Program Files (x86)\Iriun Webcam\is-7FMQH.tmp	IriunWebcam-2.8.4.tmp
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ja\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ru\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\LICENSE.txt	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ko\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Reflection.DispatchProxy.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ru\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ko\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\DirectWriteForwarder.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\it\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\it\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Net.WebClient.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Resources.Writer.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\PresentationFramework.AeroLite.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\zh-Hant\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\zh-Hant\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\fr\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Text.Encoding.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\zh-Hans\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\PresentationFramework-SystemXmlLinq.dll	msiexec.exe
File created	C:\Program Files (x86)\Iriun Webcam\is-SP9CB.tmp	IriunWebcam-2.8.4.tmp
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\pt-BR\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\pl\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\zh-Hans\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\cs\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Runtime.Serialization.Formatters.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\pt-BR\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Security.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\pl\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\ko\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\cs\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Private.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\PresentationFramework.Classic.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\de\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\tr\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\de\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\Microsoft.NETCore.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\tr\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\System.Printing.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Xml.XPath.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.14\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.14\System.Windows.Forms.Design.dll	msiexec.exe

Drops file in Windows directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFEF0BE141BC2AEF34.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBC5E9BDB2E9C47DD.TMP	msiexec.exe
File created	C:\Windows\Installer\e57debb.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\SystemTemp\~DFB79B2FB544523738.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dea8.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF93577F776855A47A.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFAA11A71FB4D83DB5.TMP	msiexec.exe
File created	C:\Windows\Installer\e57deac.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dead.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF736877AE8200362F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI744.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\e57deb6.msi	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57dead.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7F469D8555C5F767.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2863526D3FFD1DCE.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{101779FE-3FE4-420A-94DD-01B3ED37DE84}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF34.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF81BDEBDB73BAA185.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0CA8F91E-EE14-4ED7-94A4-BAD16EA67D2F}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File created	C:\Windows\INF\c_camera.PNF	devcon.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57deb1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57deb2.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF46672398B953234.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA0B3B60BBFBAAC4D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF42664B7E8201E861.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB5A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF74942441130F91D9.TMP	msiexec.exe
File created	C:\Windows\INF\c_media.PNF	devcon.exe
File created	C:\Windows\Installer\SourceHash{C20F1D07-10B7-4B92-8FA0-DF8E58D6467F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF013F612E95A35532.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57deb7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A41.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF703.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\Installer\MSIFCA3.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF85EB1D35E37D2C23.TMP	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{364225D5-48A0-4CF2-9BDF-F72872EE07FF}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\e57dea8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE762.tmp	msiexec.exe
File created	C:\Windows\Installer\e57deb2.msi	msiexec.exe
File created	C:\Windows\Installer\e57deb7.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF32C98BA2AE4BF999.TMP	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70D1F02C7B0129B4F80AFDE8856D64F7\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A036181AE3507D45E36606F9464ED83	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19F8AC041EE7DE4494AAB1DE66AD7F2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19F8AC041EE7DE4494AAB1DE66AD7F2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.59.55235_x86\Dependents\{c31ad3df-16b7-41b3-81fa-7658cb450781}	windowsdesktop-runtime-6.0.14-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Dependents\{c31ad3df-16b7-41b3-81fa-7658cb450781}	windowsdesktop-runtime-6.0.14-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EF9771014EF3A02449DD103BDE73ED48\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E19F8AC041EE7DE4494AAB1DE66AD7F2\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19F8AC041EE7DE4494AAB1DE66AD7F2\Version = "809228227"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\087CC84DFBD5AC67674072B270D13BAB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.59.55225_x86\ = "{101779FE-3FE4-420A-94DD-01B3ED37DE84}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.59.55235_x86\ = "{0CA8F91E-EE14-4ED7-94A4-BAD16EA67D2F}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\ = "{364225D5-48A0-4CF2-9BDF-F72872EE07FF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\087CC84DFBD5AC67674072B270D13BAB\E19F8AC041EE7DE4494AAB1DE66AD7F2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19F8AC041EE7DE4494AAB1DE66AD7F2\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70D1F02C7B0129B4F80AFDE8856D64F7\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70D1F02C7B0129B4F80AFDE8856D64F7\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70D1F02C7B0129B4F80AFDE8856D64F7\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.59.55225_x86\Dependents	windowsdesktop-runtime-6.0.14-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\DisplayName = "Microsoft .NET Host - 6.0.14 (x86)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A036181AE3507D45E36606F9464ED83\5D5224630A842FC4B9FD7F8227EE70FF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F9F26C187950476D88FEDA9119EF650	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.59.55235_x86\Dependents	windowsdesktop-runtime-6.0.14-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{101779FE-3FE4-420A-94DD-01B3ED37DE84}v48.59.55225\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{364225D5-48A0-4CF2-9BDF-F72872EE07FF}v48.59.55225\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.59.55235_x86	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19F8AC041EE7DE4494AAB1DE66AD7F2\SourceList\PackageName = "windowsdesktop-runtime-6.0.14-win-x86.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c31ad3df-16b7-41b3-81fa-7658cb450781}\Dependents\{c31ad3df-16b7-41b3-81fa-7658cb450781}	windowsdesktop-runtime-6.0.14-win-x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{101779FE-3FE4-420A-94DD-01B3ED37DE84}v48.59.55225\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.59.55225_x86\Dependents	windowsdesktop-runtime-6.0.14-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70D1F02C7B0129B4F80AFDE8856D64F7\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Version = "48.59.55225"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5D5224630A842FC4B9FD7F8227EE70FF\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\ProductName = "Microsoft .NET Host - 6.0.14 (x86)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{596419B9-519E-495A-9DB9-48E9648A5A56}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\PackageCode = "3DA8A74CC0F02B442A3DA3389FC883FC"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{364225D5-48A0-4CF2-9BDF-F72872EE07FF}v48.59.55225\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.59.55225_x86	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70D1F02C7B0129B4F80AFDE8856D64F7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.59.55225_x86\ = "{C20F1D07-10B7-4B92-8FA0-DF8E58D6467F}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.59.55225_x86	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.59.55225_x86\Version = "48.59.55225"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70D1F02C7B0129B4F80AFDE8856D64F7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E19F8AC041EE7DE4494AAB1DE66AD7F2\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E19F8AC041EE7DE4494AAB1DE66AD7F2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EF9771014EF3A02449DD103BDE73ED48\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.59.55225_x86	windowsdesktop-runtime-6.0.14-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.59.55235_x86\Version = "48.59.55235"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70D1F02C7B0129B4F80AFDE8856D64F7\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C20F1D07-10B7-4B92-8FA0-DF8E58D6467F}v48.59.55225\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D5224630A842FC4B9FD7F8227EE70FF\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c31ad3df-16b7-41b3-81fa-7658cb450781}\Version = "6.0.14.32124"	windowsdesktop-runtime-6.0.14-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5D5224630A842FC4B9FD7F8227EE70FF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Dependents	windowsdesktop-runtime-6.0.14-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EF9771014EF3A02449DD103BDE73ED48\SourceList	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	devcon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	devcon.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3440	msiexec.exe
3440	msiexec.exe
3440	msiexec.exe
3440	msiexec.exe
3440	msiexec.exe
3440	msiexec.exe
3440	msiexec.exe
3440	msiexec.exe
4992	IriunWebcam-2.8.4.tmp
4992	IriunWebcam-2.8.4.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4992	IriunWebcam-2.8.4.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeIncreaseQuotaPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeSecurityPrivilege	3440	msiexec.exe
Token: SeCreateTokenPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeAssignPrimaryTokenPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeLockMemoryPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeIncreaseQuotaPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeMachineAccountPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeTcbPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeSecurityPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeTakeOwnershipPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeLoadDriverPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeSystemProfilePrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeSystemtimePrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeProfSingleProcessPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeIncBasePriorityPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeCreatePagefilePrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeCreatePermanentPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeBackupPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeRestorePrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeShutdownPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeDebugPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeAuditPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeSystemEnvironmentPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeChangeNotifyPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeRemoteShutdownPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeUndockPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeSyncAgentPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeEnableDelegationPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeManageVolumePrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeImpersonatePrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeCreateGlobalPrivilege	4416	windowsdesktop-runtime-6.0.14-win-x86.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe
Token: SeRestorePrivilege	3440	msiexec.exe
Token: SeTakeOwnershipPrivilege	3440	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4992	IriunWebcam-2.8.4.tmp
1432	dotnet60desktop.exe
796	IriunWebcam.exe
796	IriunWebcam.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
796	IriunWebcam.exe
796	IriunWebcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4992	4784	IriunWebcam-2.8.4.exe	70
PID 4784 wrote to memory of 4992	4784	IriunWebcam-2.8.4.exe	70
PID 4784 wrote to memory of 4992	4784	IriunWebcam-2.8.4.exe	70
PID 4992 wrote to memory of 4912	4992	IriunWebcam-2.8.4.tmp	81
PID 4992 wrote to memory of 4912	4992	IriunWebcam-2.8.4.tmp	81
PID 4992 wrote to memory of 4912	4992	IriunWebcam-2.8.4.tmp	81
PID 4992 wrote to memory of 3940	4992	IriunWebcam-2.8.4.tmp	87
PID 4992 wrote to memory of 3940	4992	IriunWebcam-2.8.4.tmp	87
PID 4992 wrote to memory of 3940	4992	IriunWebcam-2.8.4.tmp	87
PID 3940 wrote to memory of 1432	3940	dotnet60desktop.exe	88
PID 3940 wrote to memory of 1432	3940	dotnet60desktop.exe	88
PID 3940 wrote to memory of 1432	3940	dotnet60desktop.exe	88
PID 1432 wrote to memory of 4416	1432	dotnet60desktop.exe	90
PID 1432 wrote to memory of 4416	1432	dotnet60desktop.exe	90
PID 1432 wrote to memory of 4416	1432	dotnet60desktop.exe	90
PID 3440 wrote to memory of 1696	3440	msiexec.exe	97
PID 3440 wrote to memory of 1696	3440	msiexec.exe	97
PID 3440 wrote to memory of 1696	3440	msiexec.exe	97
PID 3440 wrote to memory of 3028	3440	msiexec.exe	100
PID 3440 wrote to memory of 3028	3440	msiexec.exe	100
PID 3440 wrote to memory of 3028	3440	msiexec.exe	100
PID 3440 wrote to memory of 4464	3440	msiexec.exe	102
PID 3440 wrote to memory of 4464	3440	msiexec.exe	102
PID 3440 wrote to memory of 4464	3440	msiexec.exe	102
PID 3440 wrote to memory of 2352	3440	msiexec.exe	107
PID 3440 wrote to memory of 2352	3440	msiexec.exe	107
PID 3440 wrote to memory of 2352	3440	msiexec.exe	107
PID 4992 wrote to memory of 392	4992	IriunWebcam-2.8.4.tmp	109
PID 4992 wrote to memory of 392	4992	IriunWebcam-2.8.4.tmp	109
PID 4992 wrote to memory of 3280	4992	IriunWebcam-2.8.4.tmp	111
PID 4992 wrote to memory of 3280	4992	IriunWebcam-2.8.4.tmp	111
PID 4992 wrote to memory of 3796	4992	IriunWebcam-2.8.4.tmp	113
PID 4992 wrote to memory of 3796	4992	IriunWebcam-2.8.4.tmp	113
PID 4992 wrote to memory of 2220	4992	IriunWebcam-2.8.4.tmp	115
PID 4992 wrote to memory of 2220	4992	IriunWebcam-2.8.4.tmp	115
PID 4992 wrote to memory of 5052	4992	IriunWebcam-2.8.4.tmp	117
PID 4992 wrote to memory of 5052	4992	IriunWebcam-2.8.4.tmp	117
PID 4992 wrote to memory of 1928	4992	IriunWebcam-2.8.4.tmp	119
PID 4992 wrote to memory of 1928	4992	IriunWebcam-2.8.4.tmp	119
PID 4992 wrote to memory of 3052	4992	IriunWebcam-2.8.4.tmp	121
PID 4992 wrote to memory of 3052	4992	IriunWebcam-2.8.4.tmp	121
PID 4992 wrote to memory of 840	4992	IriunWebcam-2.8.4.tmp	123
PID 4992 wrote to memory of 840	4992	IriunWebcam-2.8.4.tmp	123
PID 4992 wrote to memory of 4964	4992	IriunWebcam-2.8.4.tmp	125
PID 4992 wrote to memory of 4964	4992	IriunWebcam-2.8.4.tmp	125
PID 4992 wrote to memory of 3408	4992	IriunWebcam-2.8.4.tmp	127
PID 4992 wrote to memory of 3408	4992	IriunWebcam-2.8.4.tmp	127
PID 4992 wrote to memory of 3408	4992	IriunWebcam-2.8.4.tmp	127
PID 4992 wrote to memory of 3376	4992	IriunWebcam-2.8.4.tmp	128
PID 4992 wrote to memory of 3376	4992	IriunWebcam-2.8.4.tmp	128
PID 4992 wrote to memory of 3376	4992	IriunWebcam-2.8.4.tmp	128
PID 3376 wrote to memory of 2196	3376	regsvr32.exe	129
PID 3376 wrote to memory of 2196	3376	regsvr32.exe	129
PID 4992 wrote to memory of 3316	4992	IriunWebcam-2.8.4.tmp	130
PID 4992 wrote to memory of 3316	4992	IriunWebcam-2.8.4.tmp	130
PID 5068 wrote to memory of 4968	5068	svchost.exe	133
PID 5068 wrote to memory of 4968	5068	svchost.exe	133
PID 5068 wrote to memory of 1944	5068	svchost.exe	134
PID 5068 wrote to memory of 1944	5068	svchost.exe	134
PID 4992 wrote to memory of 3048	4992	IriunWebcam-2.8.4.tmp	136
PID 4992 wrote to memory of 3048	4992	IriunWebcam-2.8.4.tmp	136
PID 5068 wrote to memory of 4296	5068	svchost.exe	138
PID 5068 wrote to memory of 4296	5068	svchost.exe	138
PID 5068 wrote to memory of 5004	5068	svchost.exe	139

C:\Users\Admin\AppData\Local\Temp\IriunWebcam-2.8.4.exe
"C:\Users\Admin\AppData\Local\Temp\IriunWebcam-2.8.4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\is-1OPDH.tmp\IriunWebcam-2.8.4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1OPDH.tmp\IriunWebcam-2.8.4.tmp" /SL5="$60082,3213621,845312,C:\Users\Admin\AppData\Local\Temp\IriunWebcam-2.8.4.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\netcorecheck.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.14
    3⤵
    - Executes dropped EXE
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\dotnet60desktop.exe
    "C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\dotnet60desktop.exe" /lcid 1033 /passive /norestart
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\Temp\{F78924BB-3683-4204-AF05-84CFFC441E2D}\.cr\dotnet60desktop.exe
      "C:\Windows\Temp\{F78924BB-3683-4204-AF05-84CFFC441E2D}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\dotnet60desktop.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /lcid 1033 /passive /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\.be\windowsdesktop-runtime-6.0.14-win-x86.exe
        
        "C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\.be\windowsdesktop-runtime-6.0.14-win-x86.exe" -q -burn.elevated BurnPipe.{22B2D77A-A41D-46A4-9646-B08E3F6D3BE2} {2CD5BF4A-E8FE-4794-9265-069F9C2C3D3F} 1432
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove ROOT\IriunA0
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:392
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove ROOT\IriunA1
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3280
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove ROOT\IriunA2
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3796
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove ROOT\IriunA3
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2220
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove Root\iriunvid
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:5052
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove root\Iriunv0
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:1928
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove root\Iriunv1
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3052
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove root\Iriunv2
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:840
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" remove root\Iriunv3
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4964
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /u /s video32.dll"
    3⤵
    - Loads dropped DLL
    PID:3408
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /u /s video64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\system32\regsvr32.exe
      /u /s video64.dll"
      4⤵
      Loads dropped DLL
      PID:2196
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" install iriunaud.inf ROOT\IriunA0
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:3316
- - C:\Program Files (x86)\Iriun Webcam\devcon.exe
    "C:\Program Files (x86)\Iriun Webcam\devcon.exe" install iriunv0.inf root\iriunv0
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies system certificate store
    PID:3048
- - C:\Program Files (x86)\Iriun Webcam\IriunWebcam.exe
    "C:\Program Files (x86)\Iriun Webcam\IriunWebcam.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:796
  - - C:\Program Files (x86)\Iriun Webcam\adb.exe
      adb.exe devices
      4⤵
      Executes dropped EXE
      PID:4352
    - - C:\Program Files (x86)\Iriun Webcam\adb.exe
        
        adb -L tcp:5037 fork-server server --reply-fd 240
        5⤵
        Executes dropped EXE
        
        PID:3444
  - - C:\Program Files (x86)\Iriun Webcam\adb.exe
      adb.exe devices
      4⤵
      Executes dropped EXE
      PID:3168
  - - C:\Program Files (x86)\Iriun Webcam\adb.exe
      adb.exe devices
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Program Files (x86)\Iriun Webcam\adb.exe
      adb.exe kill-server
      4⤵
      Executes dropped EXE
      PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D62AF8F6F0306F56AA26F4A6C93A258C
  2⤵
  - Loads dropped DLL
  PID:1696
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EBF13125C69A5A7C49D36AE58E9915F6
  2⤵
  - Loads dropped DLL
  PID:3028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6D522133687093899FC58CA836D7A7BF
  2⤵
  - Loads dropped DLL
  PID:4464
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3E2189A023671470AB17D6324F977136
  2⤵
  - Loads dropped DLL
  PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fb6bec4b-9f24-1f4c-9458-6c14f5198b70}\iriunaud.inf" "9" "49f3306f3" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\local\temp\is-ldjat.tmp"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4968
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca115a9e2d13:IRIUNA0:1.1.0.0:root\iriuna0," "49f3306f3" "0000000000000148" "fe95"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1944
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{dfe41c89-0e91-3a4d-ab7e-72ab06d1b4ee}\iriunv0.inf" "9" "45a8d7073" "0000000000000178" "WinSta0\Default" "0000000000000180" "208" "c:\users\admin\appdata\local\temp\is-ldjat.tmp"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4296
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\CAMERA\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:741f41b526e253e4:Iriun:1.7.3.0:root\iriunv0," "45a8d7073" "0000000000000178" "fe95"
  2⤵
  - Registers COM server for autorun
  - Drops file in Windows directory
  - Modifies registry class
  PID:5004

C:\Windows\System32\WUDFHost.exe
"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-684e3702-2075-437e-bc88-49548c54a552 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d7b56e3f-bf4e-4011-a90b-bb0d0248ee19 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-09a9b6be-518b-4c54-a550-93d377f5985a -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-94e850d5-f7e0-4365-81fd-596587da8d17 -LifetimeId:729a22fe-9ff0-477f-81b2-44e44a7fd5eb -DeviceGroupId:WudfDefaultDevicePool -HostArg:0
1⤵
- Loads dropped DLL
PID:4464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k CameraMonitor
1⤵
- Loads dropped DLL
PID:3940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57deab.rbs

Filesize
57KB

MD5
028158a07492cb824c181d0d6d133888

SHA1
85bf2d30f9d81b085c12643c6ff13aba03b46a5a

SHA256
eb50480a58bff9da432a7d184d7db9188b45c271c2be718b65a7e6fd581a2171

SHA512
3dcd066eae2db4cef60995311271ed420dfa9a0a48361d8d6f84338eea4f20046238b954a0bcdf712cc689cdf49cd8342477942b408813527ae6470b3019a3bd

Download Submit
C:\Config.Msi\e57deb0.rbs

Filesize
8KB

MD5
3e049611bc1d242c6faa3701af1acd95

SHA1
dbfdc41ab849c0b42e3c1fb0040d86a7699a3282

SHA256
01c398110746b26b10ec47643b21cf77b8ac6a1202250b01d702c0edc2efa5d0

SHA512
1151331dc8bfd46ff6effcce1f3254973e0cbc9f2d3f25d9a831c0ebda7ad2790da2f050b15a13b31a59589bc6a6a02cc91b45b3a27ed62073148cfd29e1a0d2

Download Submit
C:\Config.Msi\e57deb5.rbs

Filesize
9KB

MD5
a5c216e06909577d8e492d42b83a8d77

SHA1
5ef31e62691e422ea2961fb53fc9117a0205ad6a

SHA256
0632d2af0838eda4b69c6fd375011b80baead9ecdc37cc7346d5765353994f44

SHA512
ad987679e25efe2354eae6ddad14daef1d4872373661ef6547c0a9947f8a6bbdc0a69164341571344385fd8e5ba2b4433e5d36969fd7c6c67201baf262374b44

Download Submit
C:\Config.Msi\e57deba.rbs

Filesize
90KB

MD5
a2806fc6ce145858dd380686aedf0eb1

SHA1
fc583833086ea59705a7381535c51c8f9edd89e3

SHA256
763acc203ef897e7039f3d69400f8654f4c163a77a7a39633591f91fac4b261a

SHA512
aeb3b4aed4ab9bedc336ce206f9fe6046bb2318ff6cbeb05e60ba82bd710f4b463e15615bd68f939f46999b70774db12275299d10ffcbd421c71c688fd545587

Download Submit
C:\Program Files (x86)\Iriun Webcam\IriunWebcam.exe

Filesize
180KB

MD5
d126f7dd067e1c2ebde5ed1279f2ce8e

SHA1
77db2e7596003defe5ae5eb3094bf338bde9118c

SHA256
24b4365048c826e8e6c4fc49ec0dc2e933aaf7c2ce9e0440d507cc326e31ddc7

SHA512
834452040c02ffc1fd9bb47b87f839489f080525b6fe25b45121dc3c750ff80fea430fed0e48e096bfe8036552bcbe63c9c93ef7eecca5721f7e1af176fcccea

Download Submit
C:\Program Files (x86)\Iriun Webcam\devcon.exe

Filesize
81KB

MD5
816c4e245b286b4e4903131f75a94948

SHA1
eda70c1fc8a461efb0e376d42e35a72b96175e4d

SHA256
aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

SHA512
d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

Download Submit
C:\Program Files (x86)\dotnet\LICENSE.txt

Filesize
9KB

MD5
31c5a77b3c57c8c2e82b9541b00bcd5a

SHA1
153d4bc14e3a2c1485006f1752e797ca8684d06d

SHA256
7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

SHA512
ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

Download Submit
C:\Program Files (x86)\dotnet\ThirdPartyNotices.txt

Filesize
78KB

MD5
f77a4aecfaf4640d801eb6dcdfddc478

SHA1
7424710f255f6205ef559e4d7e281a3b701183bb

SHA256
d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7

SHA512
1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.14_(x86)_20240224071628_000_dotnet_runtime_6.0.14_win_x86.msi.log

Filesize
3KB

MD5
3035d4027db92eaeba795317ccec9315

SHA1
9fe5ac1d485a0f843d539552c3cead4c100bbefa

SHA256
fda1b752bd136c5ea78c879d54e34edf8f4de48a4b0d34583ee457cb7dc98d7f

SHA512
1860f0d59714d0a77651fe0bd350a71936638f52f19901468e82a88bc07a79fd5d0bdc131b2b0957b5ec7c74f2e8999679fc889fcce5565f9115d5109a03fd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.14_(x86)_20240224071628_001_dotnet_hostfxr_6.0.14_win_x86.msi.log

Filesize
2KB

MD5
d58fb7dfc03502bc415970b82ca87278

SHA1
3a35738ae4eedf0f654f1f3df7c690b4f83a7473

SHA256
58c1dd82252e3017c1bc92b31dabe5aa2353daf50f8d42715c1ac3eed7e8dbda

SHA512
bf99fe7bfc320d1aa8887fe84fda0494f16b01b3d0d56d583c77e1fe0f85862a4889424c0523f14e47b8b2ea7ab0130c58dfe5a31f8bb7387fbce3b757e9024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.14_(x86)_20240224071628_002_dotnet_host_6.0.14_win_x86.msi.log

Filesize
3KB

MD5
a2bb3cc793977ec55b81f080c54eec8e

SHA1
195734e10adbf186660c921e71402dfd9d00341f

SHA256
d925a7d0ed1b6b514c9df3b2fb60bf9dd19904a536aebccbbb7e6ab0b7a4e4cc

SHA512
8c423b455e15576758a952ab780ea0ce65975e312342b5a3edb99095b16237a3d97ffe8fbe15fbc1ffdb497eed7846bbab6c0fdc52d59a612b6f3cdd27406607

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.14_(x86)_20240224071628_003_windowsdesktop_runtime_6.0.14_win_x86.msi.log

Filesize
2KB

MD5
36078f92e8fe6052f62084b2e9ca843a

SHA1
ab494c09a0fdd410ed07b38a964414cc4f324ce9

SHA256
6367243f588ca0f00432b9179bb0869738c676b0d07dcc6b1358bd63191887f3

SHA512
344f694d382009dc42d1a077ab2dc11f8501e34d1c45692a88138d51b0d03441b5e51df86b8b724f6553575bf87a6ebe92fd0d6ee627ca0d9607fcf6ca76ef52

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1OPDH.tmp\IriunWebcam-2.8.4.tmp

Filesize
2.0MB

MD5
8c860813412d07cca77ebf933d879f02

SHA1
c3c1bb02c21eacaca1b8162b7fc001f2997cd6d6

SHA256
946b0c0b42f33fc42176dcfa50cd3dfcb2f2993673a003d2045978e13edbe3db

SHA512
1739ba35f329afc3823b210f96d32dd5819c2f3737492c30c45d5f273c25c9cd7221fa844c1e3985261f7afe3f01c26773235c7b4e7d5fd438b3a11f89115501

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1OPDH.tmp\IriunWebcam-2.8.4.tmp

Filesize
3.0MB

MD5
6fc7483e42deefbbe32bec4b97b8d69c

SHA1
35fb4b7fcac1e03f37de7ac2ed306f3f40c5eb28

SHA256
8bc4748c4c3d27d645af069eac99d9f1a1f1e614f203b36d60e520c09a71a453

SHA512
cc96070fa351a8bc7b0636f7279745aa7ac10b9ed049b401a3d2f8fd1c0777ae98fea1be81a510e1ca1fca53125b134497c73d48029d1d675319fb066640d0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\dotnet60desktop.exe

Filesize
17.2MB

MD5
847bf9a9d3d9040faae81b9feaf480d4

SHA1
7a8ef73cc564ec2a615ba6ba918e16244d0bdd2c

SHA256
c044dbc6701ed839b6387eef7ded7f5c7a306512e125536ef5cccf3323221e47

SHA512
a7315057a0a000afb211c2b747942d80b9adbe7f33e12a0c68baeeef47834bcd21e74cc11699e2a5b50d55e036edb61c372a928f48a6ad4ae0f0f78e56953626

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\dotnet60desktop.exe

Filesize
12.6MB

MD5
2f4f75eebba8d331246b56a978da303b

SHA1
f2c9e7f3e9ed50efeb214c5c65cf098b7baba556

SHA256
68ddefcba93801323b5633e7414d2dde1c96c4fc6ee863a1ea3c878d11d54d07

SHA512
4aeb4ce1c0ae4a9e6ff910906df0de156c9c2bc031047a9f10a1ce602ae7ef9a9a12e95ff75cc55b8ffd71cb00f92ae4d57f22ce03ce59462eedfd583cd5a821

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\dotnet60desktop.exe

Filesize
15.6MB

MD5
26fd5b3c6b64afe060fce2947e9b3a1c

SHA1
a6b97d37ab0a2f9ed421674e6c579db4ec39aaed

SHA256
77ec65f659a309e8d5f12c5ad034856e94e124ca0a6b1c20f5fe275d02d2bde3

SHA512
2d39acc6a70a139ae4c05a2755109611f9f12fe42ca22c387534779f3b8f00e047126d3ec5923f1a78c281374e03d12e2ca390c0c685e7e173a2496c090e1d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\iriunaud.inf

Filesize
9KB

MD5
50babc5474b2bc3310e69ec665df52b5

SHA1
e58fc1eeeb7fbed9dd5ec0838582f4a93304fc9a

SHA256
d9efc7dc0ea210ad25046a0396439b88355451c9f07515bf1902c25bf071b889

SHA512
ee519279d404463f87a123d87cb3d32c687122ce486f2858028c3c33f6542a58d812bd6a355a690c9f23b1046c5055a2fa84413a23d2db20352b1ecbac84c5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\iriunv0.inf

Filesize
5KB

MD5
4271ef4a1278916281aa01a97ae34e1d

SHA1
d3075d6a962ec57f9cf802ca28271b010451c285

SHA256
37c8dc4594d178624b407a8bd334e0477d1e84cefbb7b3de6994761fe3f32951

SHA512
d68c17170e670542468d434825fbb1b7fed2f5f9c04bf4c84c0f6d59c57be20675c5d4ceda03f90266f084635161593f459618a710a436a6bab026ddde614c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\netcorecheck.exe

Filesize
107KB

MD5
92e65cd72cf9f57deeac5c0c4186a5bd

SHA1
b187a4f6c84193d17fd79506206955dd6fabe897

SHA256
ef10850b31b3dbe9ad6cf8cb55fb1f81a60ea9c5c0694b4b94b283601eb17c20

SHA512
ae70051d857d1a7398fced3e12ec708e5580d60a3e1a39e89f5fbafce7da499d5d47ed8402db5d21a0994354673c1ea82acb5f7cedd1703e3562eb378c3c7bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\video32.dll

Filesize
314KB

MD5
a00de9716d0fa0e90e0eb0ba3e2fbd87

SHA1
82b905d4067a556f09cbecdabf8a657ba49a988c

SHA256
88b1cd4fde23c0b57cec028b3931858d4ea13f759248b3a16c23c71f2d2f282d

SHA512
fa14002edb1eed1655a62373a856cb586fcd06f1a0d3fcb94396d0ee4b09ec10716a2b81fdf5781f9ae9a5ed86f96222a0d13562ca44ce355c157ebf2dbf8a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LDJAT.tmp\video64.dll

Filesize
392KB

MD5
ee0adcc0bda9520533b89576cb383241

SHA1
ca1b97ad4633f32b3799de8cc2a267280bd15f9c

SHA256
5fe4b3b4dd524d09fd123e609b0b6a711cb7d2523890d84aac380d32579844d3

SHA512
25237294668e06dfc116bdacaa962961c162387ba91a93bfa3e989bb48e16141ac896af31aee9e8259a848d231ae272ef64266ea24b0747f454c7b6f740de808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{dfe41c89-0e91-3a4d-ab7e-72ab06d1b4ee}\Iriunv.dll

Filesize
127KB

MD5
030335d0cf19d7e5c62a26f2918b1054

SHA1
c9a725736f0cd2e33324f155f39461942e675719

SHA256
c71c3c69b58124f52e530d351d4f05a8e6165a4c3a36167c8cfe51b6656abe88

SHA512
48274acfdd036f620785c900da30e3f051dd2eb45fcbc7712c88e37858664e7a58cadfbc4bbc0742b81b24481df17e977945ee3a843c7bfcbdec106cfa041354

Download Submit
C:\Users\Admin\AppData\Local\Temp\{dfe41c89-0e91-3a4d-ab7e-72ab06d1b4ee}\Iriunv0Driver.dll

Filesize
34KB

MD5
f5e083e05590238feb8f8d3a887e80a7

SHA1
6b6ca4d8b393aca29793b31c5b7a376ffaefd031

SHA256
5bb81a26af1f1857ce64219abda9f8f8fc0679555cb5f61ff745870db8fbb4bc

SHA512
c698d1435fbea927798351a6986a4ad19a582fc9b9010f2b70b7e55ea6ef5c2fe9ae048fcf1aaa19e3b2e4854a4009eb1ac5f19c987bcdc95bbeac12a38a1e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb6bec4b-9f24-1f4c-9458-6c14f5198b70}\iriuna1.sys

Filesize
45KB

MD5
d61b92b1e21dccde025cc922e83b0446

SHA1
a130113accda7de05478a73610af586b808e4615

SHA256
b49c2defc596902c2f3d1443b2332fcf0f33dd981e617815f55d5a1cbef70ec2

SHA512
27ee786cf8d4cf264cfb2bca3dd0699fa168a321bdbf1f2c0838e65b9db71ae3ca05005a23f1ef5422be2f212463d9287dc847ba63053913cea185cf3881afce

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb6bec4b-9f24-1f4c-9458-6c14f5198b70}\iriuna2.sys

Filesize
45KB

MD5
1ca069f7e6c11b637ba5ded2cee59455

SHA1
950c5fdbd138e632c9e92eb577d565a912044935

SHA256
781165c941363ca5f02e12475eded7ae54d3fd2c43a3d66612c73e3901cd45b7

SHA512
7220ed6ff29b8ffe8e9228e4fc82a94a9096ea6fab7630ad7a413e975710a8917f953330e15fa10e9fdd58229a97e4bf8f95a0b98fe899296e371fb36630042c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fb6bec4b-9f24-1f4c-9458-6c14f5198b70}\iriuna3.sys

Filesize
45KB

MD5
e2bea5605f2e2542de4a8fcb1f7fd2dc

SHA1
68fe032d5eef83acc5a598d0339eec7b1196003c

SHA256
ed9c2cafadc3f6a57db53aa9090f6b2f0756fcc08a441e8dacbbdd46c6bdc31d

SHA512
3656421217cdb87ab6d0cef4aaa8f69138c9df3be33fb691f71c49ac9f17e9420da93029b18f6d80270e0e532fa349d52fa8db4c535ae59a8ba06f70c8e07c5e

Download Submit
C:\Windows\Installer\MSIF703.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\e57dea8.msi

Filesize
23.4MB

MD5
cdce3c41f8671a5e9787704677fa0daf

SHA1
e1ae62cdcc9fdd553f6c975ba061c218e31c75be

SHA256
af428490dcd56f107e9d348c4e2613e54d617f44455fa65dd36af4c493c4b205

SHA512
4b94a5719568479ee2fa47b8aee60f2db00053664d051347653b64841c465a16fb0448a33a52f3b13d05236cc03c3d7a039e9f2633291d9b6caeebe0bace2b61

Download Submit
C:\Windows\Installer\e57dead.msi

Filesize
784KB

MD5
73968a93329a8a3e08952edfb8ed5dc0

SHA1
67d82e4638dd70aa787f47ad39d74b75686a0965

SHA256
fd29a2269cd1ac89d8887836b5ede8813c975d2a339e5d1e50949d5ee8081791

SHA512
363d3ff72ee1ef9705310eacc973622b4ae2e937ff9f032af8233eda55da2e4002ca60486dc5dc23f6d20a1134a7dbde25c88157506859154045f51d71845104

Download Submit
C:\Windows\Installer\e57debb.msi

Filesize
20.9MB

MD5
aeb3dd4311c66cf395c3cb0f980bc1e2

SHA1
9a84b635154a97266dd7dbc975d86d613876a773

SHA256
03efa8a87ac26cb4a9e5dfdbbda76d4901b287bc0b42b3e61f96e31926bbcd9d

SHA512
9d9987c8188e34763cc08b0255012d5344508ab2b0e404f1298c373d7efb8dd534d9da9d245f9b143ec1083dd7f9f53be2cbfa57dc3f03d9220148c0f176ed0d

Download Submit
C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\dotnet_host_6.0.14_win_x86.msi

Filesize
128KB

MD5
06b35552106ca108227b3f2730ec1fb8

SHA1
dcc80bdf92e562821a4a86044b3a1dab5d7345e8

SHA256
74c6a88ec86ac183599eb4de3aa3e24571dcbf2811703a2789782f1868e9c036

SHA512
9f00f41fd097d227d377824bad3b65659505a80f463858b026e0e2eec61e9fa26869b6beb203b946478a7c580f346936738e8515803637ac5eb90d972c4bf200

Download Submit
C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\dotnet_hostfxr_6.0.14_win_x86.msi

Filesize
192KB

MD5
d4212b06586fd6bb50ad2b30431e6b94

SHA1
6e67f064317aa1929f494cb7caa4ec6015b0f43b

SHA256
adc72afba5c51e29731cc9ce1e0a1661f2fcc1c968b3d09740507e4f26a3e0dc

SHA512
a01d2e1ed0e0b170c29a375d231be7ad8fd0b033ba402538d1746ab72380f16071b06b23f846b79346d6a8b7de4d629ea410cb43ed1e91854948c1bc005fbe58

Download Submit
C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\dotnet_runtime_6.0.14_win_x86.msi

Filesize
2.8MB

MD5
46272168a1f40e0f95da60009c25df75

SHA1
61eec9e227acbc55a3b3b4b1411ffcc16671b1d9

SHA256
9dcbbcb48975c0239420585fcfc88139489bdba0e26f5a67023a306d25e95121

SHA512
c0bee2d676c654779e191dc5578e9f65d21ccf699b287bd5d1d3383a1eae2ce2cf472f448395817c608a0c37cfc4cb9fa9de4002a5e0b73786d3252c3409f4e0

Download Submit
C:\Windows\Temp\{E1DD51C4-CC8E-40C7-8B98-BCF478A98D45}\windowsdesktop_runtime_6.0.14_win_x86.msi

Filesize
128KB

MD5
3d942f68deeb5fc31855ce777a232415

SHA1
0370910fa09e32976c6fa3f246632a49fb3cb513

SHA256
b0ccdf29fa7eb2141c772b5c438b8e0ec600b51c8928edfd5538ab940676d3a7

SHA512
cacba2d7f052d1aade91722ea3c6d2eeb25102b083b4f2673712e8a49e2e8113af947a23d5df7a75ee6a1215d92d482aa1126b13e6825c627af4e18d25fddf5d

Download Submit
C:\Windows\Temp\{F78924BB-3683-4204-AF05-84CFFC441E2D}\.cr\dotnet60desktop.exe

Filesize
610KB

MD5
22b5e36f50b922e65d596451cfb9e6dc

SHA1
4249136f82ac8de814cb152bc84bd8a3e5d24939

SHA256
bcee8bdcdea15588bbe346568fbde57972d2267625d820c8f8acac10745f300f

SHA512
578fef393688e85279e12008bb169cd229fccac5ca8838fa71ac12315f7f775395da10159538bcabfd1b4492bc19424bdd485eeabbddbc92e2d83ae8892232a4

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ldjat.tmp\Iriunv0.cat

Filesize
12KB

MD5
8c6428e1e0d27ad4cbc878ee4f391512

SHA1
824ab680fdcc8d1c8e708c2844e5ef38075b63ad

SHA256
808e291b7b2aa68632d06698bb70c2dd4d2bd00b726a83f7751b4418d6a406f3

SHA512
f2daf9f7348dac86819697d5c627346e55431bcce305afb42f377ea813bdb254657074dd5e07519367bbbfbcf53c3674c52b787cef821466bd1eb857c18eedb4

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ldjat.tmp\iriuna0.sys

Filesize
45KB

MD5
5722ae97a72f9fbe12231ec9c8446e1e

SHA1
969603612f2d493322908aa5295b383a54e11129

SHA256
560093d6b6b1608cb69bff59656f29a4e487512a2cf654440e9483ea684400df

SHA512
a9d20879d9bcf63177064db6f8174bee5924d431e3325bb84a3190c6b33591cd3ca771bdf76aaef86302c60b2e7a38eb328b4322ef9219c83eb26a6f12d95be7

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ldjat.tmp\iriunaud.cat

Filesize
12KB

MD5
df28ebf75e67e94211d99a63884215fe

SHA1
00a8c76f25769999721cbfdf19b9b2d266df2b76

SHA256
d3aab4b49b367f54502556a251b04026ed79dc5b18eb142b21cea13ec927952d

SHA512
51216e416e734b3fe32d398310b482d1207c5d5e529effee1177bc8f597d8af73060b6ec059acbaacb507c8ce52330575423d37efe8553951f04661bdb7d88d2

Download Submit
memory/796-1122-0x0000000064B40000-0x0000000064B5B000-memory.dmp

Filesize
108KB

Download
memory/796-1131-0x0000000072AE0000-0x0000000072F0A000-memory.dmp

Filesize
4.2MB

Download
memory/796-1166-0x0000000072AE0000-0x0000000072F0A000-memory.dmp

Filesize
4.2MB

Download
memory/796-1165-0x000000006CF00000-0x000000006D0CC000-memory.dmp

Filesize
1.8MB

Download
memory/796-1164-0x000000006D280000-0x000000006D31F000-memory.dmp

Filesize
636KB

Download
memory/796-1163-0x0000000064B40000-0x0000000064B5B000-memory.dmp

Filesize
108KB

Download
memory/796-1162-0x000000006D320000-0x000000006D3E8000-memory.dmp

Filesize
800KB

Download
memory/796-1121-0x000000006D320000-0x000000006D3E8000-memory.dmp

Filesize
800KB

Download
memory/796-1123-0x000000006D280000-0x000000006D31F000-memory.dmp

Filesize
636KB

Download
memory/796-1124-0x000000006CF00000-0x000000006D0CC000-memory.dmp

Filesize
1.8MB

Download
memory/796-1092-0x000000006CF00000-0x000000006D0CC000-memory.dmp

Filesize
1.8MB

Download
memory/796-1089-0x0000000072AE0000-0x0000000072F0A000-memory.dmp

Filesize
4.2MB

Download
memory/796-1091-0x000000006D320000-0x000000006D3E8000-memory.dmp

Filesize
800KB

Download
memory/1944-1141-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/2576-1161-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/3168-1119-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/3440-439-0x0000017206A30000-0x00000172074F2000-memory.dmp

Filesize
10.8MB

Download
memory/3444-1146-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/3444-1160-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/3444-1125-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/4352-1118-0x00000000001C0000-0x00000000003BF000-memory.dmp

Filesize
2.0MB

Download
memory/4784-1104-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4784-2-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4784-20-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4784-0-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4992-6-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/4992-26-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/4992-141-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/4992-1087-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/4992-21-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/4992-23-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/4992-24-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/4992-1103-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download