Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
589s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:45
Static task
static1
Behavioral task
behavioral1
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win11-20240319-en
General
-
Target
TruCheck_v3.03.70_b3647_Updater.exe
-
Size
195.7MB
-
MD5
719e9af110e7527608b8006f6290a29c
-
SHA1
74a0684bffc141503c55572c12eecba2a3d9e5a1
-
SHA256
29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12
-
SHA512
140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae
-
SSDEEP
3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Drivers\cbul32.sys msiexec.exe File created C:\Windows\SysWOW64\Drivers\cbulwdm.sys msiexec.exe File created C:\Windows\SysWOW64\Drivers\pcidaqlib.sys msiexec.exe -
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A0DD3939603DCF72168211E663EF70013B76640F\Blob = 030000000100000014000000a0dd3939603dcf72168211e663ef70013b76640f1900000001000000100000003a1b0524df35d99f2093f7c1ca465a3214000000010000001400000074ab089030fb560e535e064c820078fad02a3b200400000001000000100000000f9a2dffba2ec5221be94434479feba70f0000000100000020000000617001622037e7d2013ac6a4586a6fdb1fea8a873393acb7fbb0e0e46a4a36c62000000001000000fa040000308204f6308203dea003020102020c3002f359e1b27e3a8997166a300d06092a864886f70d01010b0500305a310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613130302e06035504031327476c6f62616c5369676e20436f64655369676e696e67204341202d20534841323536202d204733301e170d3230303931363133333830365a170d3233303931373133333830365a3070310b3009060355040613025553311630140603550408130d4d617373616368757365747473310f300d060355040713064e617469636b311b3019060355040a1312436f676e657820436f72706f726174696f6e311b301906035504031312436f676e657820436f72706f726174696f6e30820122300d06092a864886f70d01010105000382010f003082010a02820101009fea8be9dd86514abc1cef7fc9392e5dbb2320c6acbcf360f23407aa969d80da836942694c5f94068540e51aace14e627f01297092bb782172fb13691a72ac1ce6dcee3245176227b85265a9ceae2855289e932e2ae11dc57fdebea887d576c61d33905f1cd4448a2710c6741b62c6e9d4781ead2f41c4f57f564f896eec3e799a8818de7baf24234df2914a91a680dde15288ac937e65d92cdcd165bd033e23bd31abe6549f58299505e9d04cee48d1d0bcd6fc1bee641b81a389e588ec46f530c3e576e4a9b72b2ea4e57f3c3f39c82e12c1c3abadd33a3620815e4cff7010c2f9fa49c6871669a96b90f1b62cd39b1e9c2df1cdeaf5b14f51d48d6224683d0203010001a38201a4308201a0300e0603551d0f0101ff04040302078030819406082b06010505070101048187308184304806082b06010505073002863c687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f6773636f64657369676e7368613267336f6373702e637274303806082b06010505073001862c687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f6773636f64657369676e73686132673330560603551d20044f304d304106092b06010401a03201323034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3008060667810c01040130090603551d1304023000303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f6773636f64657369676e7368613267332e63726c30130603551d25040c300a06082b06010505070303301f0603551d230418301680140f3ae7ac9491742d96027383ad9c2e493f19aa54301d0603551d0e0416041474ab089030fb560e535e064c820078fad02a3b20300d06092a864886f70d01010b0500038201010073d9c817becf2806c98273aaf607b1f781f1c7017b7be4e017055840511e94f45931b3f04a5b9638bdd3f44aca387d972e646c11f9a3b3dca4a35edaef02ce9e0745b3bc742239783fe548cdf8ce0bc2ef91a05d2a26fb8a7f497ed46c6cf21664958f490dd94154afd6cc176a266182246cbf0ea27146fe6e024c86e7f27f5db7a15bcaed26efddb4d187a597d1f380e6d596a014f20e3ad17b0cb1e6208afcc1b7cea972cebf1d5fa97b91e50c094b137e3cfbd9959eea5e934ad5b01f0996fcd975c667ce93f840bf66dc7d9370777b9aa06f7a4f28b15874bd57e4ab105c21fdc19364fa8a9d72b24ebfb8688bdf49fbc5a8dd51f44a8512c2a929d42f02 DrvInst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CBUL32\ImagePath = "System32\\Drivers\\cbul32.sys" msiexec.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation TruCheck_v3.03.70_b3647_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation UpdateTool.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation TruCheckSetup.exe -
Executes dropped EXE 10 IoCs
pid Process 3888 UpdateTool.exe 4636 TruCheckSetup.exe 432 W64Install.exe 5040 TruCheck.exe 3400 TruCheck.exe 4188 TruCheck.exe 2664 Sleepstates_Tool.exe 1128 HardwareWizard.exe 1540 devcon.exe 2944 devcon.exe -
Loads dropped DLL 64 IoCs
pid Process 736 MsiExec.exe 736 MsiExec.exe 1088 MsiExec.exe 1088 MsiExec.exe 4284 MsiExec.exe 4284 MsiExec.exe 4284 MsiExec.exe 4284 MsiExec.exe 4284 MsiExec.exe 432 W64Install.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 5040 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe 3400 TruCheck.exe -
resource yara_rule behavioral1/memory/3400-518-0x00000000177B0000-0x00000000183D0000-memory.dmp upx behavioral1/memory/3400-519-0x00000000177B0000-0x00000000183D0000-memory.dmp upx behavioral1/memory/3400-522-0x00000000177B0000-0x00000000183D0000-memory.dmp upx -
Blocklisted process makes network request 2 IoCs
flow pid Process 28 4120 msiexec.exe 30 4120 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in System32 directory 63 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55DD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55EE.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET563D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\PGRUSBCam.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\tcusbld.spt DrvInst.exe File created C:\Windows\SysWOW64\cb.cfg msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55DB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55DC.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db rundll32.exe File created C:\Windows\SysWOW64\ulprops.txt msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\uEye_usb.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\SET5650.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\uEye_usb.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55DB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\SET5660.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db rundll32.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\uEye_boot.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\wdfcoinstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49} DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt W64Install.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55EE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET564E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET564E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\SET564F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\SET5650.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db rundll32.exe File created C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\trucheck.PNF W64Install.exe File created C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55DD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\trucheck.inf DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET563D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\StUSB.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\webscan.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\uEye_boot.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\SET564F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\webscan.cat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\tcusbld.spt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\PGRUSBCam.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\StUSB.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\wdfcoinstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\SET5660.tmp DrvInst.exe File created C:\Windows\SysWOW64\cbw32.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\SET55DC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64\CyUsb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\CyUsb.sys DrvInst.exe File created C:\Windows\SysWOW64\tcusbld\tcusbld.spt msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\trucheck.inf DrvInst.exe File created C:\Windows\SysWOW64\cbercode.txt msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\x64 DrvInst.exe File created C:\Windows\SysWOW64\DaqLib.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\StTrgApi.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\W64Install.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckDataTypes.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\en-US\TruCheckCoreManaged.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\ds2490.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3\fx3_firmware.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Fonet.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3\fx3_ddr_firmware.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\FlyCapture2Managed_v90.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\webscan.cat msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Office.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_ml_le_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckRemote.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\InstallDriver.InstallState msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\zh-CN\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\ds2490.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\msvcr71.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_3v3_lvds_cmosis.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\AcroPDF.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\InstallDriver.InstallState MsiExec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckCoreManaged.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\CyUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\libiomp5md.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\WPFToolkit.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\W32Install.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\es\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\uEye_boot.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\tcusbld.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\HardwareWizard.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\zh-CN\TruCheckCoreManaged.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckControl.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_ml_le_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\InstallDriver.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\trucheck.inf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_le2_1v8_lvds_sony_spi.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\CyUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\FlyCapture2_v90.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\PGRUSBCam.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Ionic.Zip.Reduced.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\de\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\CyUSB.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\faq.rtf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\RawPrinterHelper.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\EULA.rtf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\en-US\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_aptina.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\uEye_boot.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_1v8_lvds_aptina_2phy.fwc msiexec.exe -
Drops file in Windows directory 42 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e583563.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI39A9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E10.tmp msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_0E37E41083FECCF3667319.exe msiexec.exe File created C:\Windows\Installer\e583565.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240403194804141.0 msiexec.exe File created C:\Windows\Installer\e583563.msi msiexec.exe File created C:\Windows\Inf\daqlib.inf msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_6FEFF9B68218417F98F549.exe msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_9F6C3D26641EA137EC70B4.exe msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_7AEE8AE8AD14D0F56F77BB.exe msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804141.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_9F6C3D26641EA137EC70B4.exe msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804141.0\msvcr90.dll msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B3A921879F719C288BE06C.exe msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_7AEE8AE8AD14D0F56F77BB.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI53FB.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe File created C:\Windows\Inf\cbi95.inf msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804875.0\9.0.21022.8.policy msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B3A921879F719C288BE06C.exe msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804141.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_6FEFF9B68218417F98F549.exe msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI3A07.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{3F408034-3680-483F-A303-286D629038CA} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804875.0\9.0.21022.8.cat msiexec.exe File opened for modification C:\Windows\Installer\MSI4823.tmp msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240403194804875.0 msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log W64Install.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804141.0\msvcp90.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194804141.0\msvcm90.dll msiexec.exe File created C:\Windows\Inf\cbicom.inf msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_0E37E41083FECCF3667319.exe msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID W64Install.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TruCheck.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e004600420042006f0063004b005700470031003800280071002d004e003d007500590077007100370000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|InstallDriver.dll\InstallDriver,Version="1.0.4421.41005",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e003000660034007500500047007b002b005b0066006100470036006f002900550054005a006b00350000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|ja|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="ja",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e002c007d004f00540040002800770065005d0024005100300049004e0034005a00300064006400260000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckCoreManaged.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|PdfSharp.DLL\PdfSharp,Version="1.31.1789.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="F94615AA0424F9EB" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006d0059006c00390060004d0070005000460074003d007600580076004d005a00390024006100360000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Microsoft.Office.Interop.Excel.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckRemote.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|RawPrinterHelper.DLL\RawPrinterHelper,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="32ED4FAA5501C8FD" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006900550078003900210037002600680046003d005a00660026004a002b0057007e00570070002e0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\PackageCode = "1E5B6C2BC08813F46BCEA711D8BBDB99" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|ja|TruCheck.resources.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|en-US|TruCheck.resources.dll\TruCheck.resources,Version="3.3.70.3647",Culture="en-US",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006800340068007000420058005100550064004e00530031006b0054002c004b0057002b005100330000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|CyUSB.DLL\CyUSB,Version="3.4.4.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="01F1D2B6C851AE92" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e00290044007e006f005000710064002700460039005f005b007300240061002d004600690021002c0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Interop.AcroPDFLib.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Fonet.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheck.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|AxInterop.AcroPDFLib.DLL\AxInterop.AcroPDFLib,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0027004e005d006700550066002400540070003500620079004a005b00490025003d0079004c00620000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckControl.DLL\TruCheckControl,Version="3.3.70.3647",Culture="neutral",ProcessorArchitecture="x86",PublicKeyToken="32ED4FAA5501C8FD" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0074002a006d007b0034002c00730029005f0027002b00300077004600660078005b0041006f00760000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|FlyCapture2Managed_v90.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Ionic.Zip.Reduced.DLL\Ionic.Zip.Reduced,Version="1.9.1.8",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="EDBE51AD942A3F5C" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006500510052006000300065007200560033004f0046006200320049002900590038007a005300400000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|HardwareWizard.exe\HardwareWizard,Version="1.0.4114.16721",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0066006d0031005300590047005e004b0073004200510076007a0071004b004e00600030007100260000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|de|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="de",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e004e007000630042004b003200560027007d00570055005f004d003f002e00280059006b0078004a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|CyUSB.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|Legacy|InstallDriver.dll\InstallDriver,Version="1.0.4421.41005",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e005e005b005b00650043005300630027002800570074004f006400700070005e005b0039006c00510000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|zh-CN|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="zh-CN",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0075002e004500660067002d0063006d002400540068004400670024005e003d00780056004b00720000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Microsoft.Vbe.Interop.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Microsoft.Vbe.Interop.DLL\Microsoft.Vbe.Interop,Version="10.0.4504.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0041007a003d00620077005f007b00750045005b00380043005a00520077005e0072006d005100400000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|en-US|TruCheckCoreManaged.resources.dll\TruCheckCoreManaged.resources,Version="3.3.70.0",Culture="en-US",ProcessorArchitecture="MSIL",PublicKeyToken="32ED4F = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006a005f006b002d0053005a00380074007500520021004f0067002100490079006a004f006c00300000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|es|TruCheckCoreManaged.resources.dll\TruCheckCoreManaged.resources,Version="3.3.70.0",Culture="es",ProcessorArchitecture="MSIL",PublicKeyToken="32ED4FAA5501 = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0021004e00470036002800500053007300510044005d0040006a003f005e0034004500620066004c0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|FlyCapture2Managed_v90.DLL\FlyCapture2Managed_v90,Version="2.4.2.8",Culture="neutral",ProcessorArchitecture="x86",PublicKeyToken="76C6583B4A4585F4" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0057003d002400310029006700400025005000570038006e002800520042006c00450037006c00740000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Ionic.Zip.Reduced.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|zh-CN|TruCheckCoreManaged.resources.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|PdfSharp.DLL msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\ProductIcon = "C:\\Windows\\Installer\\{3F408034-3680-483F-A303-286D629038CA}\\_6FEFF9B68218417F98F549.exe" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e00690063003f00670029004f0026005200530034002500710035005d0056004c00510072005b00530000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|Legacy|HardwareWizard.exe\HardwareWizard,Version="1.0.4114.16721",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0078006e005200550062007800210036003f004d00500043007800720079007a0028004c006e00630000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Office.DLL\Office,Version="7.0.3300.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="B03F5F7F11D50A3A" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e003d005700650050004000680079004e003500670056005d006b0073006d007e006a006f006a006a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|fr|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="fr",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0047005600490024005a006d005500410078006000700024005e0058006e002a007b005a006f00280000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheck.exe\TruCheck,Version="3.3.70.3647",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0051006e002400210038005d007e0078007800310074006d0028003900440049004f002e006000250000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|RawPrinterHelper.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|AxInterop.AcroPDFLib.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckControl.DLL msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\430804F30863F3843A3082D6260983AC\DefaultFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|HardwareWizard.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Office.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|System.Windows.Controls.DataVisualization.Toolkit.DLL\System.Windows.Controls.DataVisualization.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArc = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0062007300470071005b007a00540064002c004a005a0056006500300065006c00620024004e00390000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckCoreManaged.DLL\TruCheckCoreManaged,Version="3.3.70.0",Culture="neutral",ProcessorArchitecture="x86",PublicKeyToken="32ED4FAA5501C8FD" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0031006d005f00560030006200680056005f005000520065006c00790070007e0035002e007200390000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|WPFToolkit.DLL msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\Version = "50528326" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|es|TruCheck.resources.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\430804F30863F3843A3082D6260983AC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E63AB5B7BB2916C4CA7EEE2F065A6A5C\430804F30863F3843A3082D6260983AC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\PackageName = "TruCheckSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|System.Windows.Controls.DataVisualization.Toolkit.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Fonet.DLL\Fonet,Version="1.1.4744.22093",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="52EFFA152C4A9DC6" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e00270027006c005100620032003100590079003200470021003d005d002e005f002d002a006100790000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\Media msiexec.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 TruCheck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 TruCheck.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 536 msiexec.exe 536 msiexec.exe 5040 TruCheck.exe 3400 TruCheck.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 4188 TruCheck.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 536 msiexec.exe Token: SeShutdownPrivilege 4120 msiexec.exe Token: SeIncreaseQuotaPrivilege 4120 msiexec.exe Token: SeCreateTokenPrivilege 4120 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4120 msiexec.exe Token: SeLockMemoryPrivilege 4120 msiexec.exe Token: SeIncreaseQuotaPrivilege 4120 msiexec.exe Token: SeMachineAccountPrivilege 4120 msiexec.exe Token: SeTcbPrivilege 4120 msiexec.exe Token: SeSecurityPrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeLoadDriverPrivilege 4120 msiexec.exe Token: SeSystemProfilePrivilege 4120 msiexec.exe Token: SeSystemtimePrivilege 4120 msiexec.exe Token: SeProfSingleProcessPrivilege 4120 msiexec.exe Token: SeIncBasePriorityPrivilege 4120 msiexec.exe Token: SeCreatePagefilePrivilege 4120 msiexec.exe Token: SeCreatePermanentPrivilege 4120 msiexec.exe Token: SeBackupPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeShutdownPrivilege 4120 msiexec.exe Token: SeDebugPrivilege 4120 msiexec.exe Token: SeAuditPrivilege 4120 msiexec.exe Token: SeSystemEnvironmentPrivilege 4120 msiexec.exe Token: SeChangeNotifyPrivilege 4120 msiexec.exe Token: SeRemoteShutdownPrivilege 4120 msiexec.exe Token: SeUndockPrivilege 4120 msiexec.exe Token: SeSyncAgentPrivilege 4120 msiexec.exe Token: SeEnableDelegationPrivilege 4120 msiexec.exe Token: SeManageVolumePrivilege 4120 msiexec.exe Token: SeImpersonatePrivilege 4120 msiexec.exe Token: SeCreateGlobalPrivilege 4120 msiexec.exe Token: SeCreateTokenPrivilege 4120 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4120 msiexec.exe Token: SeLockMemoryPrivilege 4120 msiexec.exe Token: SeIncreaseQuotaPrivilege 4120 msiexec.exe Token: SeMachineAccountPrivilege 4120 msiexec.exe Token: SeTcbPrivilege 4120 msiexec.exe Token: SeSecurityPrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeLoadDriverPrivilege 4120 msiexec.exe Token: SeSystemProfilePrivilege 4120 msiexec.exe Token: SeSystemtimePrivilege 4120 msiexec.exe Token: SeProfSingleProcessPrivilege 4120 msiexec.exe Token: SeIncBasePriorityPrivilege 4120 msiexec.exe Token: SeCreatePagefilePrivilege 4120 msiexec.exe Token: SeCreatePermanentPrivilege 4120 msiexec.exe Token: SeBackupPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeShutdownPrivilege 4120 msiexec.exe Token: SeDebugPrivilege 4120 msiexec.exe Token: SeAuditPrivilege 4120 msiexec.exe Token: SeSystemEnvironmentPrivilege 4120 msiexec.exe Token: SeChangeNotifyPrivilege 4120 msiexec.exe Token: SeRemoteShutdownPrivilege 4120 msiexec.exe Token: SeUndockPrivilege 4120 msiexec.exe Token: SeSyncAgentPrivilege 4120 msiexec.exe Token: SeEnableDelegationPrivilege 4120 msiexec.exe Token: SeManageVolumePrivilege 4120 msiexec.exe Token: SeImpersonatePrivilege 4120 msiexec.exe Token: SeCreateGlobalPrivilege 4120 msiexec.exe Token: SeCreateTokenPrivilege 4120 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4120 msiexec.exe Token: SeLockMemoryPrivilege 4120 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4120 msiexec.exe 4120 msiexec.exe 3064 AcroRd32.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe 1680 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4636 TruCheckSetup.exe 3400 TruCheck.exe 3400 TruCheck.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 3064 AcroRd32.exe 2664 Sleepstates_Tool.exe 2664 Sleepstates_Tool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3464 wrote to memory of 3888 3464 TruCheck_v3.03.70_b3647_Updater.exe 89 PID 3464 wrote to memory of 3888 3464 TruCheck_v3.03.70_b3647_Updater.exe 89 PID 3888 wrote to memory of 4636 3888 UpdateTool.exe 96 PID 3888 wrote to memory of 4636 3888 UpdateTool.exe 96 PID 3888 wrote to memory of 4636 3888 UpdateTool.exe 96 PID 4636 wrote to memory of 4120 4636 TruCheckSetup.exe 97 PID 4636 wrote to memory of 4120 4636 TruCheckSetup.exe 97 PID 4636 wrote to memory of 4120 4636 TruCheckSetup.exe 97 PID 536 wrote to memory of 736 536 msiexec.exe 100 PID 536 wrote to memory of 736 536 msiexec.exe 100 PID 536 wrote to memory of 736 536 msiexec.exe 100 PID 536 wrote to memory of 4920 536 msiexec.exe 105 PID 536 wrote to memory of 4920 536 msiexec.exe 105 PID 536 wrote to memory of 1088 536 msiexec.exe 107 PID 536 wrote to memory of 1088 536 msiexec.exe 107 PID 536 wrote to memory of 1088 536 msiexec.exe 107 PID 536 wrote to memory of 4284 536 msiexec.exe 108 PID 536 wrote to memory of 4284 536 msiexec.exe 108 PID 536 wrote to memory of 4284 536 msiexec.exe 108 PID 4284 wrote to memory of 432 4284 MsiExec.exe 111 PID 4284 wrote to memory of 432 4284 MsiExec.exe 111 PID 856 wrote to memory of 2784 856 svchost.exe 114 PID 856 wrote to memory of 2784 856 svchost.exe 114 PID 2784 wrote to memory of 3720 2784 DrvInst.exe 115 PID 2784 wrote to memory of 3720 2784 DrvInst.exe 115 PID 5040 wrote to memory of 988 5040 TruCheck.exe 123 PID 5040 wrote to memory of 988 5040 TruCheck.exe 123 PID 5040 wrote to memory of 988 5040 TruCheck.exe 123 PID 3064 wrote to memory of 2540 3064 AcroRd32.exe 128 PID 3064 wrote to memory of 2540 3064 AcroRd32.exe 128 PID 3064 wrote to memory of 2540 3064 AcroRd32.exe 128 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 PID 2540 wrote to memory of 1832 2540 RdrCEF.exe 129 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe"C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe"C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true4⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5478D6A5C52F38DF7ACE4DB918FC6B72 C2⤵
- Loads dropped DLL
PID:736
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4920
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2055FE60CAFB896F979C4E0D54D5C252⤵
- Loads dropped DLL
PID:1088
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D227E7ED511291C72B76D224856D8E7A E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe" p3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:432
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\trucheck.inf" "9" "455d358b7" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{9e5e2699-50cd-df44-9ea7-c81824b93f57} Global\{dfd6cca4-b688-7248-a073-b53ab8d6b45a} C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\trucheck.inf C:\Windows\System32\DriverStore\Temp\{9da650e8-91b2-304d-adaa-1d762f8feb49}\webscan.cat3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3720
-
-
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 26322⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
PID:988
-
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:1896
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Program Files (x86)\Webscan Inc\TruCheck\Webscan TruCheck User Manual.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EEF33F6A0B943DC0C5DD73A106071C8B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EEF33F6A0B943DC0C5DD73A106071C8B --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:13⤵PID:1832
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A33C4BE2A760262DB9FCE69C42292DF --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1164
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=03458777CDBA83F0A26B4EF10A14EB9C --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:840
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9D51D9018A0AC54011A8F186106EB85C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9D51D9018A0AC54011A8F186106EB85C --renderer-client-id=5 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job /prefetch:13⤵PID:4800
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8F4D2E849635111E8AFF0683AC435E0 --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1336
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18D0DA889F2B606E2C12F8C785A2AE61 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3352
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4188 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 25682⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2908
-
-
C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Sleepstates_Tool.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Sleepstates_Tool.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664
-
C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\HardwareWizard.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\HardwareWizard.exe"1⤵
- Executes dropped EXE
PID:1128 -
C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\devcon.exe".\x64\devcon.exe" status "USB\VID_09DB&PID_0076" & "USB\VID_04D8&PID_FED8" & "USB\VID_1FCE&PID_0001" & "USB\VID_1409&PID_1000" & "USB\VID_1409&PID_2230" & "USB\VID_1409&PID_2280" & "USB\VID_1421&PID_1106" & "USB\VID_1421&PID_0805" & "USB\VID_1421&PID_1506" & "USB\VID_1E10&PID_2005" & "USB\VID_04FA&PID_2490" & "USB\VID_04D8&PID_FED8" & "USB\VID_1FCE&PID_0001"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1540
-
-
C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\devcon.exe".\x64\devcon.exe" status "USB\VID_1FCE&PID_0002" & "USB\VID_1FCE&PID_0003"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD5e7be61e11e3988f26e1072fae917634c
SHA1fa9991d7d17ea17472ac84b5fd491b451e2e2ce9
SHA256ca8506968e038662450d91abe031b1aaf8f0fb6d7526e4b2c1f2b2bb80ac93a8
SHA5124b4d220b41ac7c86e36adc14c91370f6e54a03c59fde032d8770fd28898efa2e46ff41cabb5ce015959efeea45d19a3f6110c08a2f266d2503b91f3376ec6cb4
-
Filesize
52KB
MD50bc66dacfaa51cc1836424e3bec2a3f2
SHA1a4913f8b55ab23be811768bb654e3ee501c7b4ac
SHA256a64efa8dbf365c9f5db260047911d47cbf75cdb39cc21adb6b569644849ba1b7
SHA512f374987a8c15f901f9ec6a7b75fcc712a4313dd3c42dd05b8dc8f8b3d0e7a4c66f04bd640d90cf16078b73f8122e2ccce0d9f96ac9296842b353660a310b02ec
-
Filesize
12KB
MD5e8cd2be72e86698bf847c8ab02969af5
SHA17aa588e580dfa1c4699f6f27dbfed1d8c365ab48
SHA256a41c6951d9365e774d97958b129679d175f70ca47c3a5ecd58bd42744ef21640
SHA512f55cf41c5c07283fa6d55cf4a11979bcf120f31c1af7dcf69fc387b215374342aa6783d1a66fec0cd7d4599e5b0e4cc7513a8a380007c15178b256cbeb3b08a6
-
Filesize
51KB
MD5f3f07cdd21b7b220a68005e6731496ca
SHA168e54ba66bb8e591d633e3d79658e03586e83311
SHA256251b04deac7cecff790287dc6b212222ad85fea40e5e7f6e675a63000b336d93
SHA5129ae2e7f6f7fca1dfe18c60653442adef506f8cb31e65624ff19cbfe4e20bd9d681236ad58ec15e80f427ef70dc289bf731b171257f2c86f85414c505b3555137
-
Filesize
53KB
MD5ba738127ecde978bbc9e5a07898601f8
SHA1d7be3f8e02fb91f2ca75a6c783e3dc8e3ad2c10c
SHA2562680bafd34a04aa9e6c220cbd75c54b945520aa66c9544274835533ed68f4a43
SHA512f9d73a2fbe1d15ee23bc2aa074d62795faf0fe3ad5af57865038b19d3f279bfdef6b671bb6a4477eee843fc289e828b9e31f0b842e8642b0d15cc5658880e3cd
-
Filesize
43KB
MD58da0f189cc61a7952e472a17d10fac7b
SHA1cd4f3677f2abbdaf1297d79efe37f1a980663aa5
SHA2569e576d0302b6e2a27b3b2e03300020c20a359b8201eb20ce5adede0a9f12675a
SHA512c2179066d0a2556f05b96ab5486e01b37431750f74ad97dac17cac9787445d52e266fd3024eacdda128a8e8ba65f49a9da87ba395d373d64f28c4ecc3bedb3ea
-
Filesize
1.6MB
MD5330c321024ec9e5156392ba8b8e85a3b
SHA141c5d8a7a016d59398520da17974569e9e700aed
SHA25691bff3c6164610f38a96c4fdbc5ae7315c0badbc499f1bf8bf111e7296e8e690
SHA5128fb9c3ac3a56201bdba13344a2b1c7bfab11f7964ae1b39094c4d68ead2b19e8245add32be99260b9473bedf2dbee39dcb70ccd1f28085ce3a48af7db5f5c292
-
Filesize
1.7MB
MD516b24166eb196aabe418b8d0d83aa60d
SHA18908b4ead1a791d185bc3af927ac6f194f8734d7
SHA256407c590b2f222dfc9424d0d8a65a76e4ed2ad3b8ba3b302d10ebcdaff787410a
SHA5121ac67c8f822a5069cb670f18d77259bd1effece7b7d326a528b1175d7df2fe3684c0eeae1393de94d309d90bb94f3472438674034277b2435db9ea6ac6eac5c3
-
Filesize
1.6MB
MD54da5da193e0e4f86f6f8fd43ef25329a
SHA168a44d37ff535a2c454f2440e1429833a1c6d810
SHA25618487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e
SHA512b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853
-
Filesize
50KB
MD5fd6054ccda68e02610b899cdc16d186b
SHA1f23d3f737991466d758caabe1dac0fa0977384f3
SHA2563e271de68ca66ec912976e347816ceecab7540e05a98b1d8d0690c662d65d2da
SHA512efe63d70fd7d454b57cdd4c2fe85ccd20cd6ab68cc6f990f2436f4f7a9083a2443e7868af513c55e9f1f865395a5262787e2b588ece13ff0cd10ae1146f050ad
-
Filesize
9KB
MD52987d40e46e1c0b1701e0fac75b141a5
SHA10ec7e21728fa7d950f1107be0aa7ae30696941c5
SHA256ce7d779c2671a33ede4c0313571733243b732a79330aed0ef9eabe129c38d6c0
SHA512613ce470b5334d7c0658c86180b17f3a9a79256a655f41de59d60bad46176f62a882b75f97a8314b0f077ca098c985b3633d8249a3ebb06e2517bfd51b0ef22b
-
Filesize
507KB
MD59495b07f33ded991c65d9b04945d44c5
SHA1db9d5ec47980eb0709faba0cda283ff99d643b7c
SHA256bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e
SHA51236ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815
-
Filesize
9KB
MD5f4cb6e0ad8de576f746e7121eb61c364
SHA1636dbc63fc48cace097d332055cb42c190e65984
SHA2561053e632d1f5e43d1db5d263e1bacc52d199f3acb3ab8ee26e7d505569de376d
SHA51293cef1a63616b8b651c790d2236640c99ed9cd03de1c606345d5d8d7b2b901758459b317c1c0a0811c622d88833336d46e2c0a2ca7d1619d8614f7a2f04fb617
-
Filesize
247KB
MD57c359500407dd393a276010ab778d5af
SHA14d63d669b73acaca3fc62ec263589acaaea91c0b
SHA256a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
SHA51288a25138d0a491e5ee27499206e05b8c501da0c73ad2b3e23d70e810a09bfc1b701817de7f22c9f0b9f81f90235fe5eeadd112773035a11f01706eac364b34bc
-
Filesize
982KB
MD58a33495d8e72035488d6bfe0ce276202
SHA15acefd68888410407c01c72b985b973046a286ff
SHA256c9af2411972dd18e6842cc37caa61d60ba1e44160668109eba99b2be72d15c72
SHA512c39857654d88d047afe126da4e0ed4f29a473bde4f085f044e12fcde43e1e1d5787030a0bb761db32438133874fef5ce4c0870fe139b6efb13b8b80dd0972c05
-
Filesize
20.9MB
MD5283aa6dc39b6b9e4267a9f5bb620ab4d
SHA19daddab44c9182d51ea886110adb41fc90854f68
SHA256c3885de8c87ff9ddf33193bed64c5599ed161957f762245e6316b126b95f6d99
SHA5127d9929c6fc99115945dec89cd03e1f0da9dd26302e415fe28b62420ef4ef60a2bdeaf6ba8f97c4b0286a20553a9eefb4fcffacbf17650e052020ac9bbe15eeb0
-
Filesize
93KB
MD51a9cc11b7e7c3ea0a8683eff665e9b54
SHA12805aed696d065093bc4b9fa9f0b980b2fdbdfcc
SHA256e68a4d36e349f23cef88e00015aae8f3e896e79838a881f9d5fa2642bac7352e
SHA512cc6a34a9ac4cf5cf7b7c64bc603913b09ca3ec29b6a639a559200ad58d3d4dd66c73110a2581e848f361a0917d7060ec310104ff38e36c20049522d016c7d33a
-
Filesize
27.9MB
MD532f25312407a630c6d3b6f4d8347b681
SHA1b098a4fa60d30c95ffdd9130e9c07606a1e152b0
SHA256b82e38950e9053134e116884016844a2e871d691498b7c6398a1d5bb668da0ef
SHA51241785e6fef3147fc8a39c02a7bc2645a413a1b5d3af837bc320c8bcf793004454ac04e8123d9dbb34897d788474d035687c0e1153a6c3138951a9f3980f60dd8
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5c0844ec77d540023f505c6e6b1f796ae
SHA1382541769c5231985234cbcf1a0d0e1a3689338b
SHA2562e456967f4910eae22108fa2183e297850b9e3c615b6f5484a9b9ed71215540d
SHA51226a484aba36a127485bfb5cbc1b9a5073873e9c171f8e3e68be9e3a882026afcdc52aeb1eaeffe8c4c2b52fba78bfa04fbd6c5eb0691b5066a5b266ea9092951
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize1KB
MD5e1a4b2b787a91b3f548716ed5b1b8171
SHA1767452821035bc9da20d0917474bff2b336f0b3a
SHA256f98370d45aa93a5f04e53bd92219b358491d6fef09c1aebba5fc0a120ab861d9
SHA512848296397cb7676717d94114bd8a344516edc750404b34aa1dee1d571ce2e2c9b345786c387e3f4ef57012528d3b8161291c6a6c248554ea26b714b8f673a6a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
Filesize1KB
MD5eb8ecac08f744f5ac9637c0f0129f045
SHA1612c3e5375f0a6cc63cfeca549a361534b373889
SHA2563f95e4a685db2a4cc50df8dae853a0f38e574dc58983067d1e30842ff3955cd7
SHA51271a18d91c014986ff3e85fd23e268d227e84aa30216faa5bf542ea6cecbd9cd0329119a1aceb11f08cb940ccba55e23db48591fbae26a446ff6a6f4f84ad66da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize532B
MD51a52868c7ab6b2be2435328ed0e0965d
SHA1274bad697c27cb867ad427895723a4f9aa624b03
SHA256a7c41108f9c37a1d6e222f3c9a627f60644bc3fafa2dcfbf8c64dd60d9cff1ea
SHA512d8c42f8ffbc0ecd24ce0337f15b52a0a13ed0da1ca02880993070567d27417a1c23ae9895bbd8114eaf4977752e420476837b2e4de39a70d947a74d3d5159e81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
Filesize544B
MD58cc4627bd01b016344f92867dac634f2
SHA10869f59bb3a1941353b424d4b36bed167a756ea8
SHA256ffc57891156858add5e2f798223681f258e7c383c1aab0f26c8e1e17d362e7ca
SHA512cfa699403ab18c3ac2e20eb1b69c03f8e646fc77f45c80780e73be78ceb6f6e2e63e63837c7615feb3af5d3f6f74a1cc5055ee4a42bfa7ee2ec64605c23b17cd
-
Filesize
123B
MD517af548f88a3199aa8a63a72201f470f
SHA14e64bb20a2f54d778ed684aa21abebad63a5c2c0
SHA256a558dbe555749cd3bdd62060fdbba72720c4f4a186d5870b977ed2acf9721d9e
SHA51208bdbc75f5fd4d9ec85c53253e4030ce7245b20ecc95e032835609c7c43a07d6c9e7776f48c5494a788a543240c0649a9f1a34a0e514ebc4dda5730953647338
-
Filesize
221KB
MD5911aa8d08b7ccab654e897b0e4439354
SHA14f4f16048deae47a2ff5b9849042f62ec51794bc
SHA256ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b
SHA5128aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4
-
Filesize
384KB
MD5776851d4a843a0717892e075d03f46ce
SHA171158f473006c4bbe7c0a5e969c0b346e0c57ac8
SHA2563242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b
SHA51257130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa
-
Filesize
191.6MB
MD5b42d32a276b782d58420ec171789ed34
SHA1789505e6363e2fc9942e5b73df99884760273abf
SHA256704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839
SHA51263741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684
-
Filesize
59KB
MD5d42b83e5e46d7cc78baf0fc96c9eb676
SHA1f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8
SHA2561d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6
SHA512bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508
-
Filesize
63KB
MD5384a729b4093250d9786013e15e9aa31
SHA1c7ebd3366e0b05b2eb0cd17a6a8354427436774c
SHA256e83ddd458b0433c98f4d13853cc88cf72fada6ffce6d56fcaca8e83bd76abfad
SHA512d6f70005e29e6e8b5c926d7fa4280ae1081c8c0626f74417a73fb81dd5522abab300dd7105f8842a2f41b8f036edacb4853bc6ca7be8f67e5da80ca9de9bc66e
-
Filesize
14KB
MD507282ca770d5cc6fba8e0c1598c485f2
SHA1b7bb6f83b446f73499059d2e14cafba3fc09eb81
SHA256c7669bc86c8102ab2cec262de32ac4aca06e4904959c088d85440ae77b85ec36
SHA512845fd16f032fd40456d74f30045e688044b5d2b4014a06ec700fd0211ed4a2b9fbe53dc89ad8bd7f2407c0ce6cb12885f06185c56065672071d682b39716903b
-
Filesize
19KB
MD565d8cb74df760cacbf52f33c6ed80422
SHA143e19b9b26354bfbb6121ef31c35192c970833cb
SHA2560ee74043a1c34dc7d5bd0e3631624d39bd006e917652d5052506030c0bf8dd59
SHA51234e8a0c1296940ff27ff4fc7109fbacb96ce52364c7ebbd7d05ca2de70cadfcf96b37898367b5174becddb559a3d8c24840f23c5f6091f9756cf96493f3d80d2
-
Filesize
23.7MB
MD5837f963747e9766d1b375e7507c2a3b8
SHA184d4ec9d272b8f19d27221cc58781f3f301467f6
SHA2561aacff796dc3f32585be4c39a42565467733323a46c4ba3429f09e332aca2014
SHA51284bffa202540cabcf6f379f49536f0e72da756435b4accb93cbf7b3466560330bd98c7fa7614347f7c6bcedb835a913edcac1d0d6a079114b49008bcfb6ff183
-
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{35e9e445-d28c-4960-9245-01fefc1fdbed}_OnDiskSnapshotProp
Filesize6KB
MD59213479081383672ed67e83c93ef854b
SHA15e107f2f2e3ed7afe39ca5b0521b883a29585ea0
SHA2561482955eb13fad7d47cb0684c341c64ddf6747f150c496f05a8b0b10289ecd0b
SHA51292e3dcf747b9790fd4bcf1c371a82a2cb37ae098a43aebd4b066d4b09933d857e5b7fef8b895c1fad566f5e01294c7925775b736ef36aa99ef0460266bb0e3f4