Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3QDeskSetup1.1.1.6.exe
windows7-x64
7QDeskSetup1.1.1.6.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3D3DCompiler_43.dll
windows7-x64
1D3DCompiler_43.dll
windows10-2004-x64
1D3DX9_43.dll
windows7-x64
1D3DX9_43.dll
windows10-2004-x64
1VMProtectSDK64.dll
windows7-x64
1VMProtectSDK64.dll
windows10-2004-x64
1avcodec-58.dll
windows7-x64
1avcodec-58.dll
windows10-2004-x64
1avdevice-58.dll
windows7-x64
1avdevice-58.dll
windows10-2004-x64
1avfilter-7.dll
windows7-x64
1avfilter-7.dll
windows10-2004-x64
1avformat-58.dll
windows7-x64
1avformat-58.dll
windows10-2004-x64
1avutil-56.dll
windows7-x64
1avutil-56.dll
windows10-2004-x64
1breakpad.dll
windows7-x64
1breakpad.dll
windows10-2004-x64
1d3dx11_43.dll
windows7-x64
1d3dx11_43.dll
windows10-2004-x64
1driver/devcon.exe
windows10-2004-x64
1driver/idd...dd.dll
windows10-2004-x64
1driver/install.bat
windows7-x64
1driver/install.bat
windows10-2004-x64
8Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 11:50
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
QDeskSetup1.1.1.6.exe
Resource
win7-20240319-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
QDeskSetup1.1.1.6.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
D3DCompiler_43.dll
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral10
Sample
D3DCompiler_43.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
D3DX9_43.dll
Resource
win7-20240215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
D3DX9_43.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral13
Sample
VMProtectSDK64.dll
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
VMProtectSDK64.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
avcodec-58.dll
Resource
win7-20240319-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral16
Sample
avcodec-58.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
avdevice-58.dll
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral18
Sample
avdevice-58.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral19
Sample
avfilter-7.dll
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral20
Sample
avfilter-7.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral21
Sample
avformat-58.dll
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral22
Sample
avformat-58.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral23
Sample
avutil-56.dll
Resource
win7-20240220-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral24
Sample
avutil-56.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral25
Sample
breakpad.dll
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral26
Sample
breakpad.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral27
Sample
d3dx11_43.dll
Resource
win7-20240319-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral28
Sample
d3dx11_43.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral29
Sample
driver/devcon.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral30
Sample
driver/idd/qdeskidd.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral31
Sample
driver/install.bat
Resource
win7-20231129-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral32
Sample
driver/install.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
driver/install.bat
-
Size
913B
-
MD5
e304283c4c158fed4e877bcf1c21df7d
-
SHA1
2991be31c6a1070acd7f2eea883c3ea2e91d1748
-
SHA256
931170d763dbbf046aac972d548a182c473957714db63d99133ae65240459916
-
SHA512
085a96602d5b055dcec3e57799ff89a8f1e3da89434be36e03592ca015ede060bdd4c05201da2126e4c60509f5508a49efe83ec2825a77dd496c6ec3e64be099
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\qdeskhid.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\UMDF\qdeskidd.dll DrvInst.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\SET3951.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\SET3C30.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\qdeskhid.inf_amd64_385d0c3ae105b2f1\qdeskhid.PNF devcon.exe File created C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\SET3E62.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskidd.inf_amd64_a7f939b7fae6e12a\qdeskidd.dll DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\qdeskidd.inf_amd64_a7f939b7fae6e12a\qdeskidd.PNF devcon.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskhid.inf_amd64_385d0c3ae105b2f1\qdeskhid.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\SET3C2E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\SET3C2F.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\SET3E51.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\SET3961.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskidd.inf_amd64_a7f939b7fae6e12a\qdeskidd.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\SET3950.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\qdeskhid.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\SET3C30.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskhid.inf_amd64_385d0c3ae105b2f1\qdeskhid.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\SET3E51.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\qdeskidd.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\SET3961.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\SET3950.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\vigembus.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskidd.inf_amd64_a7f939b7fae6e12a\qdeskidd.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\SET3951.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\qdeskhid.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskhid.inf_amd64_385d0c3ae105b2f1\qdeskhid.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\SET3C2E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\SET3C2F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\SET3E63.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskidd.inf_amd64_a7f939b7fae6e12a\qdeskidd.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{77041586-67a4-804e-a683-aba8988d386f}\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\SET3E62.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d8cd8725-ac04-2444-b52d-94612c034118}\qdeskhid.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.PNF devcon.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\qdeskidd.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\SET3E63.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c769825b-6ca9-fc47-8a85-92032b148f90}\qdeskidd.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdeskhid.inf_amd64_385d0c3ae105b2f1\qdeskhid.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\c_display.PNF devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem5.inf DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID devcon.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid 4 -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeAuditPrivilege 1128 svchost.exe Token: SeSecurityPrivilege 1128 svchost.exe Token: SeLoadDriverPrivilege 5044 devcon.exe Token: SeRestorePrivilege 2672 DrvInst.exe Token: SeBackupPrivilege 2672 DrvInst.exe Token: SeLoadDriverPrivilege 2672 DrvInst.exe Token: SeLoadDriverPrivilege 2672 DrvInst.exe Token: SeLoadDriverPrivilege 2672 DrvInst.exe Token: SeLoadDriverPrivilege 2996 devcon.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeBackupPrivilege 1140 DrvInst.exe Token: SeLoadDriverPrivilege 1140 DrvInst.exe Token: SeLoadDriverPrivilege 1140 DrvInst.exe Token: SeLoadDriverPrivilege 1140 DrvInst.exe Token: SeLoadDriverPrivilege 2832 devcon.exe Token: SeRestorePrivilege 5056 DrvInst.exe Token: SeBackupPrivilege 5056 DrvInst.exe Token: SeLoadDriverPrivilege 5056 DrvInst.exe Token: SeLoadDriverPrivilege 5056 DrvInst.exe Token: SeLoadDriverPrivilege 5056 DrvInst.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1808 wrote to memory of 4532 1808 cmd.exe 89 PID 1808 wrote to memory of 4532 1808 cmd.exe 89 PID 1808 wrote to memory of 4312 1808 cmd.exe 90 PID 1808 wrote to memory of 4312 1808 cmd.exe 90 PID 1808 wrote to memory of 4180 1808 cmd.exe 91 PID 1808 wrote to memory of 4180 1808 cmd.exe 91 PID 1808 wrote to memory of 2768 1808 cmd.exe 92 PID 1808 wrote to memory of 2768 1808 cmd.exe 92 PID 1808 wrote to memory of 4520 1808 cmd.exe 93 PID 1808 wrote to memory of 4520 1808 cmd.exe 93 PID 1808 wrote to memory of 5044 1808 cmd.exe 94 PID 1808 wrote to memory of 5044 1808 cmd.exe 94 PID 1128 wrote to memory of 4664 1128 svchost.exe 96 PID 1128 wrote to memory of 4664 1128 svchost.exe 96 PID 1128 wrote to memory of 2672 1128 svchost.exe 97 PID 1128 wrote to memory of 2672 1128 svchost.exe 97 PID 1808 wrote to memory of 4712 1808 cmd.exe 98 PID 1808 wrote to memory of 4712 1808 cmd.exe 98 PID 1808 wrote to memory of 3424 1808 cmd.exe 99 PID 1808 wrote to memory of 3424 1808 cmd.exe 99 PID 1808 wrote to memory of 3360 1808 cmd.exe 100 PID 1808 wrote to memory of 3360 1808 cmd.exe 100 PID 1808 wrote to memory of 4884 1808 cmd.exe 101 PID 1808 wrote to memory of 4884 1808 cmd.exe 101 PID 1808 wrote to memory of 3352 1808 cmd.exe 102 PID 1808 wrote to memory of 3352 1808 cmd.exe 102 PID 1808 wrote to memory of 2996 1808 cmd.exe 103 PID 1808 wrote to memory of 2996 1808 cmd.exe 103 PID 1128 wrote to memory of 1712 1128 svchost.exe 104 PID 1128 wrote to memory of 1712 1128 svchost.exe 104 PID 1128 wrote to memory of 1140 1128 svchost.exe 105 PID 1128 wrote to memory of 1140 1128 svchost.exe 105 PID 1808 wrote to memory of 232 1808 cmd.exe 106 PID 1808 wrote to memory of 232 1808 cmd.exe 106 PID 1808 wrote to memory of 3124 1808 cmd.exe 107 PID 1808 wrote to memory of 3124 1808 cmd.exe 107 PID 1808 wrote to memory of 784 1808 cmd.exe 108 PID 1808 wrote to memory of 784 1808 cmd.exe 108 PID 1808 wrote to memory of 2100 1808 cmd.exe 109 PID 1808 wrote to memory of 2100 1808 cmd.exe 109 PID 1808 wrote to memory of 2832 1808 cmd.exe 110 PID 1808 wrote to memory of 2832 1808 cmd.exe 110 PID 1128 wrote to memory of 3604 1128 svchost.exe 111 PID 1128 wrote to memory of 3604 1128 svchost.exe 111 PID 1128 wrote to memory of 5056 1128 svchost.exe 112 PID 1128 wrote to memory of 5056 1128 svchost.exe 112
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\driver\install.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "2⤵PID:4532
-
-
C:\Windows\system32\find.exefind "10.0"2⤵PID:4312
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon status Nefarius\ViGEmBus\Gen12⤵
- Checks SCSI registry key(s)
PID:4180
-
-
C:\Windows\system32\findstr.exefindstr "Driver is running"2⤵PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon remove Nefarius\ViGEmBus\Gen12⤵
- Checks SCSI registry key(s)
PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon install vigem\ViGEmBus.inf Nefarius\ViGEmBus\Gen12⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon status djpnewton\vmulti2⤵
- Checks SCSI registry key(s)
PID:4712
-
-
C:\Windows\system32\findstr.exefindstr "Driver is running"2⤵PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon status Root\qdeskvhid2⤵
- Checks SCSI registry key(s)
PID:3360
-
-
C:\Windows\system32\findstr.exefindstr "Driver is running"2⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon remove *qdeskvhid*2⤵
- Checks SCSI registry key(s)
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon.exe install qdeskhid\qdeskhid.inf root\qdeskvhid2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon remove Root\Qdesk\IDD2⤵
- Checks SCSI registry key(s)
PID:232
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon status Root\Qdesk\IDD2⤵
- Checks SCSI registry key(s)
PID:3124
-
-
C:\Windows\system32\findstr.exefindstr "Driver is running"2⤵PID:784
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon remove Root\Qdesk\IDD2⤵
- Checks SCSI registry key(s)
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\driver\devcon.exedevcon install idd\qdeskidd.inf Root\Qdesk\IDD2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3850783a-65a7-1f49-820d-a269cbc3d4b0}\vigembus.inf" "9" "429a86e87" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\local\temp\driver\vigem"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4664
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88408607219:ViGEmBus_Device:1.17.333.0:nefarius\vigembus\gen1," "429a86e87" "000000000000014C"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d439740c-eeaa-3644-8caf-751a62952425}\qdeskhid.inf" "9" "47099baef" "0000000000000160" "WinSta0\Default" "0000000000000170" "208" "c:\users\admin\appdata\local\temp\driver\qdeskhid"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1712
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\USB\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:c14ce884788e99ee:qdeskhid_Device:14.16.37.368:root\qdeskvhid," "47099baef" "0000000000000160"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d06b75cc-d1af-8240-b678-50530b88de90}\qdeskidd.inf" "9" "4f369b2e7" "000000000000014C" "WinSta0\Default" "0000000000000184" "208" "c:\users\admin\appdata\local\temp\driver\idd"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3604
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem5.inf" "oem5.inf:c14ce8840c48fa1f:Qdeskidd_Install:14.7.32.627:root\qdesk\idd," "4f369b2e7" "000000000000014C"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5cd0027aa0f5a8a47a6596d880f06964b
SHA1167b62bfd7471179cf68cb5b2f83c8365edf4875
SHA256634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6
SHA51219563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9
-
Filesize
10KB
MD55312064607460baaa4562aabc42b8922
SHA1c8a0758e5ae7158acb0f6f111ad298fbc0b1a2ae
SHA25658b8a1bf9160fd4310a183b3431580eda2bc0a5ecaac2e0fbd6399184ff02404
SHA512dcfc68f09d339695aa3b8eea02a7adafc21473d259df9d6dd7cbb7d29fb8f3ff9b3184f8921d9f829c665b1447ebec7ce97729914fb7367bf6e07d9fd02d2aba
-
Filesize
11KB
MD50b4ca2c96d0ffcf537cae26f01f3549f
SHA15321003f5d5d78a69718cc8acfb934f8421353af
SHA2560e2c1794746f2eabc4c92234257eea2a78a77e721285496e73293fe7398e7576
SHA512390c4faec6d28e59f1b8a41f25f662b52b6b2af5d81652fbe3c210762f1e09f4df9b5be064859d9ca73d1d5fbbbccfb311d67b68d6405d96fe21a1c8333474e1
-
Filesize
84KB
MD52d19eb605ca6654666c45739bc467fa3
SHA1ee9d9603d1182b0f41b8dd50c4b502b3d28bf634
SHA2563dc27c2c533fc448bd7d7a3920d11fbe024f7d16464f1f4cd346796a5844b69f
SHA51276b94449a2a13aaf6d27e31d3f415e0de4b96a19c174cb4f2fed1e85ed76f8b157fa5bb46cb26e8d86d9f68480eb26553dfe0a066b1a94944ebfa8c6fad0e20b
-
Filesize
11KB
MD52edb6d7fffea227aa245d467ab67cd84
SHA19eabb481ffb0a69512cb83907eccb1efcf54c5c2
SHA2563dc91a3305343ae255155f509e4f3f1459437e4ad23845e252a859ac960dbcaa
SHA512cbba4116061657f43089adff9412733aa88d3c3bbce7102ffc1fc444adcb09d66bf9aee432a82f0f2004977a26a9e68360101afffcc72fc1ac352a0208174ffb
-
Filesize
41KB
MD5a01c1724eaf4354517f402cb547a11cc
SHA13e523541cfc40a127935b0f3dfbdfa2e47638ab0
SHA256f9eb3f77e7a876dff81b9e7e524dff7b7de9c716999af506711d6b3008d1cdf6
SHA5129cc9a46907630da21623866e1575aea7776ca1a954f2543fe250e42bd942ff59eeec1237aeddd9ae63beeace47609e54b94940b6c8969c8b17efc173ad0198bd
-
Filesize
3KB
MD532aeac7446d7f80b11b01fc7df1728e3
SHA17066aa82f02b4ed2509417903b24a5f837e73082
SHA256bb3f1a3243059e8d9234b278e95003e7e0ac8979f4ba2a84fffc170224203f7a
SHA51253a3445e43b686d51a6b60339ee0d2b4576fab3f13ef3da681a09c390f68e656e6a6262b0f21b6496e2c8652f5ac875f2ce9b76fbdd7b4c6fdeb99d209636444
-
Filesize
2KB
MD5093d3cf4ade07e5d08f1d04eaf9807b9
SHA13a7e261c61727281beb6efb583abb27b3b7d71a3
SHA25671eef0e27bd7d25079353e889d62d4f096b4c51fa3ff6cffa9404c101aac7431
SHA5129e5784bc4595352cbe68842fa840a4734fd04786a5dd5c81e50effe4d9f2fa2ca48e3ae0a348786a75d053b64cf506364223900619fb2c2ead737a8eefefa5ba
-
Filesize
19KB
MD523279383157406c996419d943a14fdba
SHA1f6c7da4b1162338fd603b4009147c4c4a22183cd
SHA256e200329d0adb21e5a622329569e9895155275ee4cb0cfb1cf018623effc95493
SHA512cc8ff162f774d75266dc0e649eb94760645027b97db87f56d0d0f5efa6a676cd7b689d0632c6e7b699c510d44f237340bdb23c9e64635efa5fdbb2ab9c023e12
-
Filesize
19KB
MD5161d2c67f89b106d07ab0ba89a462c43
SHA116a24e3acd2708a7698431cf9a7383e5e61fd3c3
SHA25613325c1d5650d750ab008d635e9205a8b45d22c98cfc1ac260d0e21fdfa55124
SHA51235676d5e0317ff44d6c43b96bb47bc721dd8274ad36e3cb2e7bc52675a2bdeb6345771d88c0d10ee80585493df9ee5b07fb7a8aff0160e4e97c482e771a6d572
-
Filesize
161KB
MD587fe350c6ffe8d60ce58dbc16a2d091e
SHA17e2727a31c54df2fe4fba73a6b0537afa5faf534
SHA2568fb8402b7266fa9b9ea8841708317c8c25367b2947eeda9b6462c0e4801f05a4
SHA512f892b87a8d45ddb14a99e736eff26f7257c492dade5754362acf4d2522927c337dd3d6ec4d47b0553681764e5cf15db61f8a96098889a7b5a56c052b53dced63