e34f5a37f9f4bbcc6f6d1b0d8bce7f69eb965d165c5b8a92432616a461bc1eed

Analysis

max time kernel
104s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07-03-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MaxPower_MK853_Software_V2.0_23110700.exe
Size

10.5MB
MD5

91d8ff558a4737199ed69a82d8a61913
SHA1

5bec10dc213004c2c56ca9db485b92cc505f4865
SHA256

e34f5a37f9f4bbcc6f6d1b0d8bce7f69eb965d165c5b8a92432616a461bc1eed
SHA512

a97a90e4ccde1a336e40d6b65c1635bab4ceb5858e15aa82861186cff67dfebd138278db1d7972acf790af945f90c842aea474e122e8cf428f0ee94300920929
SSDEEP

196608:hv8Dd3V4txti7jP80dB/SHSbFCsRr0m3m99A+U5hJs:hvsdytUQuBmSZ7Rri9RCha

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETF8E2.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF8E2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\vhidflt.sys	DrvInst.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\H:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\R:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\S:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\A:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\P:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\M:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\O:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Z:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\K:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\X:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\N:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Z:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\B:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\H:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Q:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\R:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\X:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\P:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\W:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\B:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\J:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\A:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\O:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\U:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Y:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\E:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\T:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Q:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\G:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\V:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\L:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\S:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\Y:	MaxPower_MK853_Software_V2.0_23110700.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\SETC35B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\SETC35C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhidflt.inf_amd64_d78ad71afd85ed41\vhidflt.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\SETC35B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\SETC35C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\vhidflt.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\SETC36C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vhidflt.inf_amd64_d78ad71afd85ed41\vhidflt.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vhidflt.inf_amd64_d78ad71afd85ed41\wudf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\vhidflt.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\SETC36C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}\wudf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vhidflt.inf_amd64_d78ad71afd85ed41\vhidflt.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1b59f1eb-8b4c-8244-ad91-1db63c70631f}	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\cbox_profile_selected.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\img_keboard_normal.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\ioc_func_rgb.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x86\WdfCoinstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg_macro_content.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg_progress_pos.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\Translator\lang_cn.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\page_safe.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\WdfCoinstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x86\devcon.exe	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg_macr_keys.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\ioc_func_set.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\more_menu.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_add.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_del.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_down.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_func_bg.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\DPInst64.exe	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_funccc_bg.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg_macro_group.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg_progress_bg.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\cbox_profile_normal.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_ok.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\Translator\lang_en.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\values\string.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\dlg_main.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\page_box.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_funcc_bg.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\config.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\img_keboard_floating.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_export.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x86\DPInst32.exe	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_import.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_record.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\dlg_tray.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\wudf.cat	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x86\vhidflt.sys	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\img_keboard_demo.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\table_main_bg.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\values\skin.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\menu_tray.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\vhidflt.sys	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_color_effects.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\macro.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_capture.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\table_main_icon.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\uidef\init.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ShinetekTools.exe	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\img_keboard_checked.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_clear.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\page_share.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ledeffect.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\macro.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\logo.ico	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\traymenu_icons.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\uires.idx	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\xml\page_disk.xml	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\vhidflt.inf	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x86\wudf.cat	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_cancel.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_up.png	msiexec.exe
File created	C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\record.xml	msiexec.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58503e.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5487.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI568B.tmp	msiexec.exe
File created	C:\Windows\Installer\e585041.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8B48ADDB6BC630CF.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0108C72355F4D1A0.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF20901CE3B56EBB69.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5418.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\SystemTemp\~DF802C61DAC11CBCE0.TMP	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\ShinetekTools_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\ShinetekTools_1.exe	msiexec.exe
File opened for modification	C:\Windows\DPINST.LOG	DPInst64.exe
File created	C:\Windows\Installer\e58503e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DPInst64.exe
File opened for modification	C:\Windows\Installer\MSI5148.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51F4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 4 IoCs

pid	Process
5116	DPInst64.exe
3676	ShinetekTools.exe
2828	devcon.exe
3700	devcon.exe

Loads dropped DLL 12 IoCs

pid	Process
4992	MsiExec.exe
4992	MsiExec.exe
4992	MsiExec.exe
4992	MsiExec.exe
4992	MsiExec.exe
4992	MsiExec.exe
4992	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4992	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DPInst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DPInst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DPInst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ea0447ff9070a66e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ea0447ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ea0447ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dea0447ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ea0447ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DPInst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DPInst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DPInst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DPInst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DPInst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DPInst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DPInst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8BCBA1655DFB9B04B8E199295FE07398\8A0E55FEC9CE22740ABABFDEDB7B65F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\ProductIcon = "C:\\Windows\\Installer\\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\\ShinetekTools_1.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8BCBA1655DFB9B04B8E199295FE07398	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\PackageName = "ShinetekTools.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Media\3 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Media\4 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A0E55FEC9CE22740ABABFDEDB7B65F0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A0E55FEC9CE22740ABABFDEDB7B65F0\English	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A0E55FEC9CE22740ABABFDEDB7B65F0\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\Version = "16777218"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A0E55FEC9CE22740ABABFDEDB7B65F0\ChineseSimplified = "\x06"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\ProductName = "FANTECH MK853 Gaming Keyboard"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\PackageCode = "2C9CE37D3B9AC6C4C8D09F614F16E0E2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0E55FEC9CE22740ABABFDEDB7B65F0\SourceList\Media\2 = "Disk1;Disk1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	msiexec.exe
2600	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeAssignPrimaryTokenPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeLockMemoryPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeIncreaseQuotaPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeMachineAccountPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeTcbPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSecurityPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeTakeOwnershipPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeLoadDriverPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSystemProfilePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSystemtimePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeProfSingleProcessPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeIncBasePriorityPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreatePagefilePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreatePermanentPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeBackupPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeRestorePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeShutdownPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeDebugPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeAuditPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSystemEnvironmentPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeChangeNotifyPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeRemoteShutdownPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeUndockPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSyncAgentPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeEnableDelegationPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeManageVolumePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeImpersonatePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreateGlobalPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreateTokenPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeAssignPrimaryTokenPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeLockMemoryPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeIncreaseQuotaPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeMachineAccountPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeTcbPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSecurityPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeTakeOwnershipPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeLoadDriverPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSystemProfilePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSystemtimePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeProfSingleProcessPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeIncBasePriorityPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreatePagefilePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreatePermanentPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeBackupPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeRestorePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeShutdownPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeDebugPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeAuditPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSystemEnvironmentPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeChangeNotifyPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeRemoteShutdownPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeUndockPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeSyncAgentPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeEnableDelegationPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeManageVolumePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeImpersonatePrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreateGlobalPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeCreateTokenPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeAssignPrimaryTokenPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeLockMemoryPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeIncreaseQuotaPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe
Token: SeMachineAccountPrivilege	4804	MaxPower_MK853_Software_V2.0_23110700.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4804	MaxPower_MK853_Software_V2.0_23110700.exe
4804	MaxPower_MK853_Software_V2.0_23110700.exe
3676	ShinetekTools.exe
3676	ShinetekTools.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3676	ShinetekTools.exe
3676	ShinetekTools.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3676	ShinetekTools.exe
2828	devcon.exe
3700	devcon.exe
1092	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4992	2600	msiexec.exe	84
PID 2600 wrote to memory of 4992	2600	msiexec.exe	84
PID 2600 wrote to memory of 4992	2600	msiexec.exe	84
PID 4804 wrote to memory of 756	4804	MaxPower_MK853_Software_V2.0_23110700.exe	85
PID 4804 wrote to memory of 756	4804	MaxPower_MK853_Software_V2.0_23110700.exe	85
PID 4804 wrote to memory of 756	4804	MaxPower_MK853_Software_V2.0_23110700.exe	85
PID 2600 wrote to memory of 4000	2600	msiexec.exe	89
PID 2600 wrote to memory of 4000	2600	msiexec.exe	89
PID 2600 wrote to memory of 4884	2600	msiexec.exe	91
PID 2600 wrote to memory of 4884	2600	msiexec.exe	91
PID 2600 wrote to memory of 4884	2600	msiexec.exe	91
PID 2600 wrote to memory of 5116	2600	msiexec.exe	93
PID 2600 wrote to memory of 5116	2600	msiexec.exe	93
PID 1604 wrote to memory of 4036	1604	svchost.exe	95
PID 1604 wrote to memory of 4036	1604	svchost.exe	95
PID 3676 wrote to memory of 2828	3676	ShinetekTools.exe	97
PID 3676 wrote to memory of 2828	3676	ShinetekTools.exe	97
PID 3676 wrote to memory of 3700	3676	ShinetekTools.exe	99
PID 3676 wrote to memory of 3700	3676	ShinetekTools.exe	99
PID 1604 wrote to memory of 4812	1604	svchost.exe	101
PID 1604 wrote to memory of 4812	1604	svchost.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MaxPower_MK853_Software_V2.0_23110700.exe
"C:\Users\Admin\AppData\Local\Temp\MaxPower_MK853_Software_V2.0_23110700.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\MaxPower_MK853_Software_V2.0_23110700.exe
  "C:\Users\Admin\AppData\Local\Temp\MaxPower_MK853_Software_V2.0_23110700.exe" /i C:\Users\Admin\AppData\Local\Temp\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\ShinetekTools.msi AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard" SECONDSEQUENCE="1" CLIENTPROCESSID="4804" CHAINERUIPROCESSID="4804Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="English,MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\MaxPower_MK853_Software_V2.0_23110700.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\MaxPower_MK853_Software_V2.0_23110700.exe" AI_INSTALL="1"
  2⤵
  - Enumerates connected drives
  PID:756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB632F2B8F5FD3C0C28C5BF82EA86CF7 C
  2⤵
  - Loads dropped DLL
  PID:4992
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4FF490A90C3BC6D39B8CB0CA1E3AC72A
  2⤵
  - Loads dropped DLL
  PID:4884
- C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\DPInst64.exe
  "C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\DPInst64.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8ba2721e-99f1-c148-8057-d084672b16b4}\vhidflt.inf" "9" "4246a6217" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\fantech mk853 gaming keyboard\driver\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4036
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:50ab71fe221ae399:vhidev:18.13.46.429:root\vhidev," "47645f34b" "0000000000000160" "37d3"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4812

C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ShinetekTools.exe
"C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ShinetekTools.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\devcon.exe
  remove root\vhidev
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\devcon.exe
  install "C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\vhidflt.inf" root\vhidev
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s hidserv
1⤵
PID:4224

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58503f.rbs

Filesize
20KB

MD5
56484a7e9888a3c303a6db9418939a08

SHA1
5921016f34a9a082d6ae98d3f50ad7694b69087c

SHA256
cb1a3cc5f16ac0c81df74a88372b9c6043769315be4574889f7c2bdc9d4a4c9a

SHA512
7c70980f08adc288dcfc05744cc96c6e025d43a828afeb7475796fa75ff959f2146909462cd32f9913145ebf4c35c156423383f324f761eba1310bbd2f5e1315

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ShinetekTools.exe

Filesize
384KB

MD5
0ed26131ca8745acd1dca361f1c8071b

SHA1
6cbcb61bf194f6d3e404e2cb0d05b4a71d755f0f

SHA256
6eae3b65c53abeead52074d807432450801b80fe37251eb24b3a28e55a34727e

SHA512
bb2ce0aa3ded2bc9108a42e398ffca48610b2c68d4e3799679f88f10ec36ff870f5c9350a2e47a768f10034514aa318580df25a6df06bce572b4d0ad143c5474

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ShinetekTools.exe

Filesize
3.2MB

MD5
ef2b5461945a6623bb2eca182d437c9c

SHA1
c721b591afec03ab1f94144498e0648d80aad819

SHA256
ab4672823301174442a73d49d6bb8831600ef8df438892927291fd08be210865

SHA512
f16cb7061583a4fc5a1b92f00cb43c23f7dabbbcc9478151e501d97b1344dfd49bff2a51dd34cb7578a23c4e41b7803026d35926a74bb6fdfadaf708c913d311

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\ShinetekTools.exe

Filesize
3.1MB

MD5
0b8f2dded726b01122b8a6f20383dd45

SHA1
6d4504132327ff3aaba71b9d6b3a0487fa2e11ee

SHA256
e47b80c56cffd088d6378fafcf0c1f0a4acad41928592aaeff101ef7cf701e4d

SHA512
5227063bc90f684616a18a74b1626355fbf84ecfe05f44dffb41b81161a553ef7469435760a3c4b12930dc503f7508f31f51e7a0df23cf24a7976c9ecd79f694

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\DPInst64.exe

Filesize
834KB

MD5
30d8fb905e85e535990f29839e928eae

SHA1
170ef668d148871ad3c34c138dc15beb0eddeaa6

SHA256
653158804f2bf45ace017dc9e0f5ee73d7685bd5d88818f6dad1cfa1924887b8

SHA512
7c4c9bb1a9a028b6e142be761e6b0fb7cf3608b2ede694eef541984a17e0fb380c290ba6e21b407c8711ea3c5d89976ee4749529b91b3e21c95ae65db3597a33

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\driver\x64\devcon.exe

Filesize
96KB

MD5
c49a0a1dac27f3c6614de76e13f84b6a

SHA1
57e74c5be4e371a685b540797d238f30658d3d26

SHA256
7204358c7abf112db4ec777df43706e9b8ce318d7dff3ea694e863f5715f3fe9

SHA512
753251c563656319afc745e1faa7c6e3f24afd75e03147cb72b07089f7eaee6e8e269525f458cad352adbb5ed9ffe401cc0aa2bef979de527f2a4910081ddd30

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\Translator\lang_cn.xml

Filesize
17KB

MD5
cf805cfa2db67ab4e435053039a84ee5

SHA1
65a0ea847ac22c274b47cd2d058576a5978a4f2c

SHA256
f3568fa7d7a465f82b890c0bdb64ba2b1f92c9f85a13a03187251f96c62a0272

SHA512
57a0f2431fd350f0c3008e69beae3de067fcd0d506978af807367c55598875b302bb4bfe9ff32378eac43ca688ea2c79aeab90a620755eb5d6c79f13108c880c

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\bg.png

Filesize
182KB

MD5
36f5fbc77bc57aab9c79d7111516c7e7

SHA1
c129d70a7aeae057a54b57f8e6da2fcf72270da2

SHA256
c46f1238dee3d3d891d25780273e85466197b387a7c21b30231f95a46a6a00fb

SHA512
9a3230baf6a1883e57d4b722d1dd9fad382218b8f01013d344e34a84e6acebd1bdbc4d3ce3304f814f5ab1aab3241826106f68598d4ddd2b1ab7088ef06d7089

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\cbox_profile_normal.png

Filesize
1KB

MD5
fabaade5f535f6a99de911e21ef51e3a

SHA1
293225ab1e5c2d8671f934f32a8038e7ed4df93a

SHA256
38183ae2edf4bb92acfa155f1b6940002ceff9d820302133bca659d492b26c71

SHA512
b0a7dfebca56fd39b7483e0ea9818a813e104dc10b25b3bbde43ae9bc9430ea39d33a4b5ff5d0f9e951dc1db6083fbd1572cd2d7f3d5ba1743cc1615620a8487

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\ioc_func_macro.png

Filesize
1020B

MD5
668d9bd95a699564b772d90c51b0782c

SHA1
70e177b07704fc07c505e1c66d4d726fd9e69dc1

SHA256
ec868f656105949f65f52a63d52295d161230dad3d3de2e16558acdb15ab21e1

SHA512
5b0e889ffed48230e17b1db18f6448a813326d7e7fc36391bfbb3d63811a276a2f8160ffd5d7e68de8b9fd6b1c80f21d34589b67b2d913a8afa0353b68685a8f

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\ioc_func_rgb.png

Filesize
1KB

MD5
d2d20490b1395a9a4e6e41191b70ef15

SHA1
8c44dde8bd7e6aae67a0ab58360c4ca6c6125c0f

SHA256
6b7e0039cd4a3b697589c84ab73d4166bc4b609588b3351ececc7c12d5d960b1

SHA512
2d1c6569a302c9c6cd3a256ba2d3c2fcd79586bab64d41bbf4c357f3ff794eb7e1b6e2b464f9c797b0fab5bee23359dbfba37d174f1397ce0d03ac5e783ad6b8

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_func_bg.png

Filesize
880KB

MD5
1378bbf9c6fcebb0f002530fd7158cc5

SHA1
c97af77c8ef1a97e671f15b88858a6e7b313b448

SHA256
6f6013a9cf53e24b2bc24b341cee306525fc3b4e4593d9b7593a1180990ac208

SHA512
bdd5a2cda27c6e816f0f6852ab01a30364789844e08694db96229e4d137c4467ced10b8d4a5a0ecb8c0a6ac8f5475f77aa3a3388e2ce3bc21832ed3a4f183ad0

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\state_funcc_bg.png

Filesize
2KB

MD5
8a418d115f0c8f125f30cb18d22e1214

SHA1
347c91d912c4340b112c39c70e69a5da32a157e2

SHA256
5ad75caeb7b5543f33f386b451545216c37767ee73332aa1d4bdf7e48a4d45e2

SHA512
0deedc60c0570bfdc4faa38b88e5e62bad822979193f76ab64af37a40ae1518a907c44353dc7b7b8a7212bd177fe5cc51ebf1d6316c3ff9670b4d318f5f2a13f

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\table_main_bg.png

Filesize
2KB

MD5
b1b9b6322e7df1b1bd3c7bcb218d7572

SHA1
bc9b911b59345f5f376b6026fb4583dac1c6b830

SHA256
82e84715ba14faf145889409d2f3173c91c49686460f37ff06a4ccdf486d687f

SHA512
c1258c74a8b2d88e594142817d022c2e79c7cfceff600408cbd12e6ad7e9bbdfd5611919a2d584a3506346d7c1783dc70de3880336e14a049eb9a6134c25162a

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\image\table_main_icon.png

Filesize
24KB

MD5
635d1c00a825fd1d760ad4685df2f6a9

SHA1
74a167330cf9181de7c0b7dc20eacd54e2379b00

SHA256
e5a27ce2404170246f813c7cf1b5f39a5fc36131a201408c8b4f32f09d0f6dd6

SHA512
7f83e92e1045dba66e1a9be00acb30eacd5cf9e5c1d1860084bc24178423136b920ec12cc7ce6291d76e65b0ad082bbc32d3d0b63ed9aaad07f91d11e5f7d21b

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\uidef\init.xml

Filesize
504B

MD5
3f5319ef05905eda24c81b3c3d8bd505

SHA1
d0c5d54a77a01eefe64f7750ade6d3571dfa0ca9

SHA256
fa98e2b04e175ec6e098f212fbaf7a48d666f8b577c5f467a14c4924a29451c7

SHA512
76f85390d966e673af5128821052c4ac727f6e09769adfadb7825f69b2a92cfca3057459f5bc569eef5cc53661b7d069b8005a01624e5c931f371471349de8f8

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\uires.idx

Filesize
3KB

MD5
baa10358326191bf21895e1efaf325d8

SHA1
4d290c770482431e60d8b850f320a6c749f2f3b6

SHA256
b9e11c30ac70cc1d695ed810decf4f7ffc33b5cb2bb4278d4ed754f7fc5992fb

SHA512
9ef92e58bc78e6b3ce009afdb302be93074ad21d068674a98f702ff938eabc99be970dbcbfabee91197890d7dc5dd1b72a762c6e13bc38cefc391485d70ebc4f

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\values\color.xml

Filesize
226B

MD5
8b10a843892a6e92892a5cfd701745de

SHA1
4998fdd4992835292dc641bd0b292731bf068b79

SHA256
98c8b00388f875595f16d3236438c50ca13209fe1d005584ef8cf0c4b6971f93

SHA512
52324ad4d6b90152c25d869b42107c0afa2ae0f7b4cfea66d495c75687df7d3919e232272b50e9dc699c32d09c3a277fd1cbb5e55f3ae78d5ed27ad667999619

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\values\skin.xml

Filesize
3KB

MD5
19b0db76472da22189a69fba4ef00298

SHA1
dbc5e281b2a26d3b7df1ecaf65d082c6c02ea396

SHA256
1ca85a1cc307dbafe41b215bee95ec5a8e43e7265aa5afb8c98782cf5542c7b0

SHA512
93fdd282fa6e58cd0725e31220f9b9ba4f882beac23bdb230f18dfd579a999b72237b44809d69960da2e15206f75796a8743d1d0386e18359913ddbc2338327d

Download Submit
C:\Program Files (x86)\FANTECH MK853 Gaming Keyboard\uires\values\string.xml

Filesize
199B

MD5
583acc1c4e024e50eb8ae42d0fd04731

SHA1
a82fd6a29b101e410618dc260464d45e2d859d71

SHA256
3108936ff6077f72f5fa7cde39b1917abee89e1a09c821842d0ae328fd2cd849

SHA512
66fde1edf777177bb5ebe1e02cc986a6b6f227d4ac1f297103150bda1e0e61855553098f2eda9a4cf1744a7d4812731ac128b4ebc64bbd616b51f099c74f9081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
fa46a23d0e7dc259e406d33ceab3681f

SHA1
76b551dfcbd79401379451870ee9a88aa58173be

SHA256
1c5c7257b0bbb82c526219757eb9003dec7be06f293a61b8cf9b07968ab12693

SHA512
57853694542ec4131ed27cfb2cfd8d1e5c0c342687c3a7848ef605e84d170f261b849dd40ce2499be427cc747101fcce459b5eddb7eb949efb8dc590dfd405a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4051076D49FC71A3C17D669D03AA694B

Filesize
727B

MD5
29d13e0e99ab2f660c7dedf54c9e55c1

SHA1
ad73b8a1ccf12fad8039ec378e2e989b7dcc0022

SHA256
d7fc6c3554a5e9d92354fdd91f33c94ee591e562e71a61f1da33088f5a3ed2c6

SHA512
c1d1d570bedb04f44caebde8f73fefe9f8b461b4d655fc825d36307c8b69ab68c61cb0aa52fbc5dd25a35c7a8c06a925db53084229097ea024da8c4b85905999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
e260facac9f7a604d8aa1bc98c706333

SHA1
99a900199d8f8cb2c9e1b8044b9acdcad4c8637f

SHA256
43527d0f19c4bedfdf389233fc33edd3d196766f6cbbe7a7f89db139e490d663

SHA512
e715bf7fd76b8fa71b53e56084f1dbca0e93a6a8a10af16f4735ff44594c87c0322db5462afd31ae3a07d0727c3eb20b4735d7b58e6567aca17d907b1320bab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
1f135efbf291c87a53df97a5f2cbc03c

SHA1
9c94331695842389b47476cb54d20d530eef52b9

SHA256
8f10db27669d3683f6660760b2fd331d94d935f7151544a5546b98e8fdcfc12d

SHA512
48d0022bfbe864470b4bf803baf97139d46af9a17303a2291e565bbd4e3f09e06a66f3d8301443ed1aa7f9948e27984c83e23c017707f29205a8b412775c19eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4051076D49FC71A3C17D669D03AA694B

Filesize
408B

MD5
4624d7a7d14ceb6aca792e3a70f3cd33

SHA1
ce336e3d950f0b1c118cb6ef48f17e0a4ff2a924

SHA256
a2b536c902819b277d5aaf942e1bf438ab3792ba9085253a4baf9be477da9da6

SHA512
4131108a6098b4db95b53f09cab6e2c567ef1f21620a1a08e36de11e665af9abc0a973964fa8325e00db0ccd7cbf505ade3431205334df7533a9ebb494295b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
399f7a2d7757d9f5cf5643f59ad45d85

SHA1
36c3aeb077f337ef899453dbbd738e6d8a5c8d59

SHA256
53b895e5005f96eeb9600115cd2dc6a5995d064e9add710ec56248acf4c2a600

SHA512
f2d8ad6492615528b1ac8de420a092c7b61fc4428210a4c470b20de3b26d5defe9a7f3d6c79c1a8227135add1ba102b72ee8bf46715a73aff7f00f584a97c913

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4804\jpg

Filesize
1KB

MD5
e83c0ba7269ea873a8a5da8ce9f8ca80

SHA1
947db057d174cd6d28cc013dbc204e06014c6b7a

SHA256
ab394fa359707c6181699f94ee862d0dc3b2701100bdd62e6c7435edbfbe95fd

SHA512
cb4a8d0993f918613e4050bbf1c3a47f5de9cb5d0297f107a889a07ec5415764e4b529f1296abb1b35f9b0910ba62d7b132b1d2d7a15bba491dd13d4f6892c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4804\jpg_2

Filesize
4KB

MD5
11e03783e112e47a8bd95ea47cd6eaea

SHA1
7dd786c2bae9fde65982836cc3e61e1ba6664423

SHA256
1e7a790ab68daf70accc4e1716401c03b7d1550e20984b1b9a3eeb3b524b3449

SHA512
96b49fd9379fd6bf0726239c8bc36696ff9083d0169ca0dc8aeeddc77c46425aa49c03091b3be5eb0a94eaf78d074890f6462a4634acbfb143572b12685b0ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA21D.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi1354.tmp

Filesize
1.3MB

MD5
2bcd4f5a0f8c37ac3f56e5a16a16281b

SHA1
4f0c1af7c26f7fddd0899145b81548b460b58d69

SHA256
979e2cd2c652c8c94aa8177df8e7fd592653f64777eef52374cedb06ceedd90a

SHA512
19feec10cdc3c97373a24c8838b9d4b7d5fc3391be83d849772d0ce56f59406ccaafd22ed2daa80e0b955fa14edd846fea9037cbe7484b424fa01a4f7e6a8293

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\English.cab

Filesize
10KB

MD5
a350a12cca47bc9ebf518f1efd506d02

SHA1
52a0477b4c607da050e1b06149ddee3f384e52d9

SHA256
41ee1afb5a0206f801d58484e2dcbcb0696386d636e9f2077ec9953d283414e5

SHA512
866dce7502763bab167ed0493bcd7e1ecf7edcd560a2b9a5fb880df6a3840e8d47ea895213674f6412aeeb9ca356dc1fd7190913fa73a13423bf48cb64b42b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\MainFeature.cab

Filesize
7.2MB

MD5
52280d08d8a47a1bdafdc5202d89ed74

SHA1
6e31b6f738f560f9ca9ac53b5becf0ba735b8d90

SHA256
2c626eab3cdeecb0a63a240ad3d145dc18dcc13b3dcada1e28412b7319a8996b

SHA512
cfdadfe2fa11c526358fabe7ecdf24690b0d19d25de2155218190a9ac9820f2cd3ddb67a4f00b5d30b6d56930438dc2c74494a5e3f742e72299b68e7fa5b9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EF55E0A8-EC9C-4722-A0AB-FBEDBDB7560F}\ShinetekTools.msi

Filesize
1.2MB

MD5
6961ad866f439a53b6539fa9e69a47cd

SHA1
a457b51742d1b379d78e41626e55fc52f6049318

SHA256
b5ee7a6337f320c717276e21b02c84498bcf210c4c89db2771aae6da2ef0b524

SHA512
97360a45194dc88f60ddad32fb66a5f702b56bce9a4750d1d937f5d8f2b0d8947139169884557d7f1a618538b263518e829f8033e679fd85b803efde76ac6854

Download Submit
C:\Windows\Installer\MSI5487.tmp

Filesize
533KB

MD5
49221ce7fc118fc89ac1927642eb1be2

SHA1
7599a0d7de4b1d87769268fa40f691b6e6166416

SHA256
2a28e78d9bd3a2082192c70a719a99f81b998ea633cdfe3402c314590962dcc1

SHA512
9673a07384d2c102cab7ba71593e9eb816a432c8ddd39c514bba5cb6f6885e8e4197d75dd01d516ec0453d0e43d86a860ddadb454369c1b44a4827ab64503103

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
af0a340a01eb0c625d9359b523161576

SHA1
8bfe63d8586517b47f7f4dd08b9dad886950af9e

SHA256
e322befaa1cb7d546d8ca84fc333bf38c933a531d387e340e8c211eb1b59b6ed

SHA512
176d49a389bfa61693e430fec339e9382131e0781ff503c0664a3afd0c44b4ac26140b2718984a70826905ef2ca0a8e09f51acaa75d4b5977ca05e618b42713a

Download Submit
\??\Volume{ff4704ea-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{403f6f2e-9cba-4c06-9bd5-70b9e90383ea}_OnDiskSnapshotProp

Filesize
6KB

MD5
a5f9e177375e269d8d2fae976c1c3354

SHA1
f86d88bbd32097d48828d8ed72506671ac72ddd1

SHA256
9e3f294539eafe82bee26f5958571f29aceb8b95ee3f7e3ba6a620f0b1b55dc0

SHA512
ae287f0df2d3cc2634dd571afd9c0f8231258fc39d5fc7235f39ad4d6559486bb5ddd79fd985e0621b2311eb51d01c94ff3595f5a3b4ff843b076d3dea88e1d7

Download Submit
\??\c:\PROGRA~2\FANTEC~1\driver\x64\vhidflt.sys

Filesize
54KB

MD5
1623351efcb2e88ff532abd98e590213

SHA1
b1c6a0df7084049ae40f0bc20e9738e8509e85c9

SHA256
f350af0f8f378ef5e645755607a99d031a24bb4f8c93b6d0d35a4c51c96b9414

SHA512
9aa1093277e694dd4e40e4d75e31ea48b85f455091698b391ba3a472615bcb003ba35d771bea3aeaf499db3f7ae8e9dc3e1da190c0be89224b034047f156846b

Download Submit
\??\c:\PROGRA~2\FANTEC~1\driver\x64\wudf.cat

Filesize
10KB

MD5
628a62c72534ffab7f2432db58620a3e

SHA1
7c1e78a486c10976ed4ed613e12a03180f31aa25

SHA256
cd0fbeb3686b00e814fefa213fd228909d4dcb5f6cc0e4ce6d88947d9ef3ef73

SHA512
853c7187de3fb00125e5588397017ded78af8ee5cd4299843a5583120fb844282f01d07ec2038e2ca9dad4a88a3f6c91cbd81166be1eab1ce796491d7deb7217

Download Submit
\??\c:\program files (x86)\fantech mk853 gaming keyboard\driver\x64\vhidflt.inf

Filesize
8KB

MD5
9075c58d21dc9d3875ffaac48c73bded

SHA1
3f9f7662d08fbd4a1706dc935eeda725fbaa8785

SHA256
49a5b62f546b1a370d3f6e11c774ae5cdd855f7b8e4297b3188ee1dde0582782

SHA512
dcb8c44bb4d42cf5ca2b2707f00fc670d427f90a0415c8e251bcf9eb317c00e0ad5b5af97994227e4abe4af0a4c7e1f289c9e4a5d3e6066ab40c1af700599831

Download Submit
memory/3676-379-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download