Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
658s -
max time network
1174s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/04/2024, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win11-20240221-en
General
-
Target
TruCheck_v3.03.70_b3647_Updater.exe
-
Size
195.7MB
-
MD5
719e9af110e7527608b8006f6290a29c
-
SHA1
74a0684bffc141503c55572c12eecba2a3d9e5a1
-
SHA256
29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12
-
SHA512
140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae
-
SSDEEP
3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Drivers\cbul32.sys msiexec.exe File created C:\Windows\SysWOW64\Drivers\cbulwdm.sys msiexec.exe File created C:\Windows\SysWOW64\Drivers\pcidaqlib.sys msiexec.exe -
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A0DD3939603DCF72168211E663EF70013B76640F\Blob = 030000000100000014000000a0dd3939603dcf72168211e663ef70013b76640f1900000001000000100000003a1b0524df35d99f2093f7c1ca465a3214000000010000001400000074ab089030fb560e535e064c820078fad02a3b200400000001000000100000000f9a2dffba2ec5221be94434479feba70f0000000100000020000000617001622037e7d2013ac6a4586a6fdb1fea8a873393acb7fbb0e0e46a4a36c62000000001000000fa040000308204f6308203dea003020102020c3002f359e1b27e3a8997166a300d06092a864886f70d01010b0500305a310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613130302e06035504031327476c6f62616c5369676e20436f64655369676e696e67204341202d20534841323536202d204733301e170d3230303931363133333830365a170d3233303931373133333830365a3070310b3009060355040613025553311630140603550408130d4d617373616368757365747473310f300d060355040713064e617469636b311b3019060355040a1312436f676e657820436f72706f726174696f6e311b301906035504031312436f676e657820436f72706f726174696f6e30820122300d06092a864886f70d01010105000382010f003082010a02820101009fea8be9dd86514abc1cef7fc9392e5dbb2320c6acbcf360f23407aa969d80da836942694c5f94068540e51aace14e627f01297092bb782172fb13691a72ac1ce6dcee3245176227b85265a9ceae2855289e932e2ae11dc57fdebea887d576c61d33905f1cd4448a2710c6741b62c6e9d4781ead2f41c4f57f564f896eec3e799a8818de7baf24234df2914a91a680dde15288ac937e65d92cdcd165bd033e23bd31abe6549f58299505e9d04cee48d1d0bcd6fc1bee641b81a389e588ec46f530c3e576e4a9b72b2ea4e57f3c3f39c82e12c1c3abadd33a3620815e4cff7010c2f9fa49c6871669a96b90f1b62cd39b1e9c2df1cdeaf5b14f51d48d6224683d0203010001a38201a4308201a0300e0603551d0f0101ff04040302078030819406082b06010505070101048187308184304806082b06010505073002863c687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f6773636f64657369676e7368613267336f6373702e637274303806082b06010505073001862c687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f6773636f64657369676e73686132673330560603551d20044f304d304106092b06010401a03201323034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3008060667810c01040130090603551d1304023000303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f6773636f64657369676e7368613267332e63726c30130603551d25040c300a06082b06010505070303301f0603551d230418301680140f3ae7ac9491742d96027383ad9c2e493f19aa54301d0603551d0e0416041474ab089030fb560e535e064c820078fad02a3b20300d06092a864886f70d01010b0500038201010073d9c817becf2806c98273aaf607b1f781f1c7017b7be4e017055840511e94f45931b3f04a5b9638bdd3f44aca387d972e646c11f9a3b3dca4a35edaef02ce9e0745b3bc742239783fe548cdf8ce0bc2ef91a05d2a26fb8a7f497ed46c6cf21664958f490dd94154afd6cc176a266182246cbf0ea27146fe6e024c86e7f27f5db7a15bcaed26efddb4d187a597d1f380e6d596a014f20e3ad17b0cb1e6208afcc1b7cea972cebf1d5fa97b91e50c094b137e3cfbd9959eea5e934ad5b01f0996fcd975c667ce93f840bf66dc7d9370777b9aa06f7a4f28b15874bd57e4ab105c21fdc19364fa8a9d72b24ebfb8688bdf49fbc5a8dd51f44a8512c2a929d42f02 DrvInst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CBUL32\ImagePath = "System32\\Drivers\\cbul32.sys" msiexec.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation TruCheck_v3.03.70_b3647_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation UpdateTool.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation TruCheckSetup.exe -
Executes dropped EXE 7 IoCs
pid Process 4128 UpdateTool.exe 4996 TruCheckSetup.exe 3252 W64Install.exe 4904 TruCheck.exe 5048 TruCheck.exe 3844 TruCheck.exe 4056 TruCheck.exe -
Loads dropped DLL 64 IoCs
pid Process 224 MsiExec.exe 224 MsiExec.exe 4444 MsiExec.exe 4444 MsiExec.exe 4444 MsiExec.exe 4444 MsiExec.exe 4444 MsiExec.exe 4444 MsiExec.exe 4444 MsiExec.exe 3252 W64Install.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 4904 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 5048 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe 3844 TruCheck.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 29 3184 msiexec.exe 31 3184 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64 DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\trucheck.PNF W64Install.exe File created C:\Windows\SysWOW64\cb.cfg msiexec.exe File created C:\Windows\SysWOW64\ulprops.txt msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET1F80.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\SET2032.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\SET2034.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\tcusbld.spt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\SET2034.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\tcusbld.spt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET1F80.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET1FA0.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET200E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET2020.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\StUSB.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\uEye_boot.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\trucheck.inf DrvInst.exe File created C:\Windows\SysWOW64\cbercode.txt msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET200E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET201F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET2021.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\SET2032.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\webscan.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\SysWOW64\DaqLib.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET201F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\webscan.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\SET2033.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\StUSB.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\wdfcoinstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\trucheck.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\PGRUSBCam.sys DrvInst.exe File created C:\Windows\SysWOW64\cbw32.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\uEye_usb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\PGRUSBCam.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\uEye_boot.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\CyUsb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\wdfcoinstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\SET2033.tmp DrvInst.exe File created C:\Windows\SysWOW64\tcusbld\tcusbld.spt msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET1FA0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET2020.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\CyUsb.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\x64\SET2021.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trucheck.inf_amd64_7919be661198b1e6\x64\uEye_usb.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt W64Install.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_aptina_2phy.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\tcusbld.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\StTrgApi.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Ionic.Zip.Reduced.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\FlyCapture2Managed_v90.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\de\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\RawPrinterHelper.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\InstallDriver.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_aptina.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_3v3_lvds_cmosis.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\AcroPDF.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\PdfSharp.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\uEye_boot.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_1v8_lvds_aptina.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3\fx3_bootloader.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Microsoft.Office.Interop.Excel.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\HardwareWizard.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\fr\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb2_se_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\AxInterop.AcroPDFLib.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckControl.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\PGRUSBCam.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\cyusb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Office.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\app.ico msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\webscan.cat msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\EULA.rtf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\trucheck.inf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_ml_le_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_le2_1v8_lvds_sony_spi.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\webscan.cat msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\ja\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\WPFToolkit.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\trucheck.inf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\HardwareWizard.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\CyUSB.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_1v8_lvds_aptina_2phy.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\MccDaq.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_le2_3v3_lvds_onsemi.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\CyUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckRemote.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\System.Windows.Controls.DataVisualization.Toolkit.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\InstallDriver.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\FlyCapture2_v90.dll msiexec.exe -
Drops file in Windows directory 30 IoCs
description ioc Process File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\WinSxS\InstallTemp\20240408152625585.0\msvcp90.dll msiexec.exe File created C:\Windows\Inf\cbi95.inf msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240408152625585.0\msvcr90.dll msiexec.exe File created C:\Windows\Inf\daqlib.inf msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240408152626366.0 msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240408152625585.0\msvcm90.dll msiexec.exe File opened for modification C:\Windows\Installer\MSIE4C.tmp msiexec.exe File created C:\Windows\Installer\e59fa95.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFFA4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI301.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240408152626366.0\9.0.21022.8.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240408152626366.0\9.0.21022.8.policy msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe File created C:\Windows\Installer\e59fa93.msi msiexec.exe File opened for modification C:\Windows\Installer\e59fa93.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{3F408034-3680-483F-A303-286D629038CA} msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIFEC9.tmp msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240408152625585.0 msiexec.exe File opened for modification C:\Windows\Installer\MSI1CA5.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log W64Install.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\WinSxS\InstallTemp\20240408152625585.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240408152625585.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest msiexec.exe File created C:\Windows\Inf\cbicom.inf msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 54 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 W64Install.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom W64Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID W64Install.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs W64Install.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier TruCheck.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TruCheck.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier TruCheck.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TruCheck.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1652 msiexec.exe 1652 msiexec.exe 4904 TruCheck.exe 5048 TruCheck.exe 3844 TruCheck.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 4056 TruCheck.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeShutdownPrivilege 3184 msiexec.exe Token: SeIncreaseQuotaPrivilege 3184 msiexec.exe Token: SeCreateTokenPrivilege 3184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3184 msiexec.exe Token: SeLockMemoryPrivilege 3184 msiexec.exe Token: SeIncreaseQuotaPrivilege 3184 msiexec.exe Token: SeMachineAccountPrivilege 3184 msiexec.exe Token: SeTcbPrivilege 3184 msiexec.exe Token: SeSecurityPrivilege 3184 msiexec.exe Token: SeTakeOwnershipPrivilege 3184 msiexec.exe Token: SeLoadDriverPrivilege 3184 msiexec.exe Token: SeSystemProfilePrivilege 3184 msiexec.exe Token: SeSystemtimePrivilege 3184 msiexec.exe Token: SeProfSingleProcessPrivilege 3184 msiexec.exe Token: SeIncBasePriorityPrivilege 3184 msiexec.exe Token: SeCreatePagefilePrivilege 3184 msiexec.exe Token: SeCreatePermanentPrivilege 3184 msiexec.exe Token: SeBackupPrivilege 3184 msiexec.exe Token: SeRestorePrivilege 3184 msiexec.exe Token: SeShutdownPrivilege 3184 msiexec.exe Token: SeDebugPrivilege 3184 msiexec.exe Token: SeAuditPrivilege 3184 msiexec.exe Token: SeSystemEnvironmentPrivilege 3184 msiexec.exe Token: SeChangeNotifyPrivilege 3184 msiexec.exe Token: SeRemoteShutdownPrivilege 3184 msiexec.exe Token: SeUndockPrivilege 3184 msiexec.exe Token: SeSyncAgentPrivilege 3184 msiexec.exe Token: SeEnableDelegationPrivilege 3184 msiexec.exe Token: SeManageVolumePrivilege 3184 msiexec.exe Token: SeImpersonatePrivilege 3184 msiexec.exe Token: SeCreateGlobalPrivilege 3184 msiexec.exe Token: SeCreateTokenPrivilege 3184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3184 msiexec.exe Token: SeLockMemoryPrivilege 3184 msiexec.exe Token: SeIncreaseQuotaPrivilege 3184 msiexec.exe Token: SeMachineAccountPrivilege 3184 msiexec.exe Token: SeTcbPrivilege 3184 msiexec.exe Token: SeSecurityPrivilege 3184 msiexec.exe Token: SeTakeOwnershipPrivilege 3184 msiexec.exe Token: SeLoadDriverPrivilege 3184 msiexec.exe Token: SeSystemProfilePrivilege 3184 msiexec.exe Token: SeSystemtimePrivilege 3184 msiexec.exe Token: SeProfSingleProcessPrivilege 3184 msiexec.exe Token: SeIncBasePriorityPrivilege 3184 msiexec.exe Token: SeCreatePagefilePrivilege 3184 msiexec.exe Token: SeCreatePermanentPrivilege 3184 msiexec.exe Token: SeBackupPrivilege 3184 msiexec.exe Token: SeRestorePrivilege 3184 msiexec.exe Token: SeShutdownPrivilege 3184 msiexec.exe Token: SeDebugPrivilege 3184 msiexec.exe Token: SeAuditPrivilege 3184 msiexec.exe Token: SeSystemEnvironmentPrivilege 3184 msiexec.exe Token: SeChangeNotifyPrivilege 3184 msiexec.exe Token: SeRemoteShutdownPrivilege 3184 msiexec.exe Token: SeUndockPrivilege 3184 msiexec.exe Token: SeSyncAgentPrivilege 3184 msiexec.exe Token: SeEnableDelegationPrivilege 3184 msiexec.exe Token: SeManageVolumePrivilege 3184 msiexec.exe Token: SeImpersonatePrivilege 3184 msiexec.exe Token: SeCreateGlobalPrivilege 3184 msiexec.exe Token: SeCreateTokenPrivilege 3184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3184 msiexec.exe Token: SeLockMemoryPrivilege 3184 msiexec.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 3184 msiexec.exe 3184 msiexec.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe 2496 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4996 TruCheckSetup.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3640 wrote to memory of 4128 3640 TruCheck_v3.03.70_b3647_Updater.exe 91 PID 3640 wrote to memory of 4128 3640 TruCheck_v3.03.70_b3647_Updater.exe 91 PID 4128 wrote to memory of 4996 4128 UpdateTool.exe 97 PID 4128 wrote to memory of 4996 4128 UpdateTool.exe 97 PID 4128 wrote to memory of 4996 4128 UpdateTool.exe 97 PID 4996 wrote to memory of 3184 4996 TruCheckSetup.exe 98 PID 4996 wrote to memory of 3184 4996 TruCheckSetup.exe 98 PID 4996 wrote to memory of 3184 4996 TruCheckSetup.exe 98 PID 1652 wrote to memory of 224 1652 msiexec.exe 101 PID 1652 wrote to memory of 224 1652 msiexec.exe 101 PID 1652 wrote to memory of 224 1652 msiexec.exe 101 PID 1652 wrote to memory of 3800 1652 msiexec.exe 107 PID 1652 wrote to memory of 3800 1652 msiexec.exe 107 PID 1652 wrote to memory of 4444 1652 msiexec.exe 109 PID 1652 wrote to memory of 4444 1652 msiexec.exe 109 PID 1652 wrote to memory of 4444 1652 msiexec.exe 109 PID 4444 wrote to memory of 3252 4444 MsiExec.exe 113 PID 4444 wrote to memory of 3252 4444 MsiExec.exe 113 PID 3692 wrote to memory of 2892 3692 svchost.exe 116 PID 3692 wrote to memory of 2892 3692 svchost.exe 116 PID 2892 wrote to memory of 4328 2892 DrvInst.exe 117 PID 2892 wrote to memory of 4328 2892 DrvInst.exe 117 PID 4904 wrote to memory of 3236 4904 TruCheck.exe 121 PID 4904 wrote to memory of 3236 4904 TruCheck.exe 121 PID 4904 wrote to memory of 3236 4904 TruCheck.exe 121 PID 5048 wrote to memory of 2164 5048 TruCheck.exe 125 PID 5048 wrote to memory of 2164 5048 TruCheck.exe 125 PID 5048 wrote to memory of 2164 5048 TruCheck.exe 125 PID 3844 wrote to memory of 4688 3844 TruCheck.exe 127 PID 3844 wrote to memory of 4688 3844 TruCheck.exe 127 PID 3844 wrote to memory of 4688 3844 TruCheck.exe 127 PID 4056 wrote to memory of 4912 4056 TruCheck.exe 130 PID 4056 wrote to memory of 4912 4056 TruCheck.exe 130 PID 4056 wrote to memory of 4912 4056 TruCheck.exe 130 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe"C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe"C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true4⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3184
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 345F1FA01BDBEF712CCCF21834D60E1F C2⤵
- Loads dropped DLL
PID:224
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3800
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7FE8FD4F0BC76A25A6BC4695CD1390502⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe" p3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3252
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{cd855e7b-d099-164a-afb8-e9ebde89adf5}\trucheck.inf" "9" "455d358b7" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3497a990-874f-a04f-8f71-26bd40143747} Global\{9a3a2c16-1f63-234a-ad95-197b619ffcfd} C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\trucheck.inf C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\webscan.cat3⤵PID:4328
-
-
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4522⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3236
-
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 25362⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2164
-
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:4824
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 25562⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4688
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496
-
C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 25642⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4912
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1592
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5d6a724727ce418948eeb380821d7e6eb
SHA1856e0966fee149992843ecb0ee9c7327b4202e87
SHA25693e028541e8eedd217475b5a3a20c3afae82f46516763c12916b81843c542644
SHA512525cb30e77b26bb27d293eba98fa8773c01c2789f7a156f80ff398f0ddc9a1b38a083e80883a24a6deb8b76103b22727dff961bd9323f579c9497f4949023e87
-
Filesize
12KB
MD5e8cd2be72e86698bf847c8ab02969af5
SHA17aa588e580dfa1c4699f6f27dbfed1d8c365ab48
SHA256a41c6951d9365e774d97958b129679d175f70ca47c3a5ecd58bd42744ef21640
SHA512f55cf41c5c07283fa6d55cf4a11979bcf120f31c1af7dcf69fc387b215374342aa6783d1a66fec0cd7d4599e5b0e4cc7513a8a380007c15178b256cbeb3b08a6
-
Filesize
51KB
MD5f3f07cdd21b7b220a68005e6731496ca
SHA168e54ba66bb8e591d633e3d79658e03586e83311
SHA256251b04deac7cecff790287dc6b212222ad85fea40e5e7f6e675a63000b336d93
SHA5129ae2e7f6f7fca1dfe18c60653442adef506f8cb31e65624ff19cbfe4e20bd9d681236ad58ec15e80f427ef70dc289bf731b171257f2c86f85414c505b3555137
-
Filesize
53KB
MD5ba738127ecde978bbc9e5a07898601f8
SHA1d7be3f8e02fb91f2ca75a6c783e3dc8e3ad2c10c
SHA2562680bafd34a04aa9e6c220cbd75c54b945520aa66c9544274835533ed68f4a43
SHA512f9d73a2fbe1d15ee23bc2aa074d62795faf0fe3ad5af57865038b19d3f279bfdef6b671bb6a4477eee843fc289e828b9e31f0b842e8642b0d15cc5658880e3cd
-
Filesize
43KB
MD58da0f189cc61a7952e472a17d10fac7b
SHA1cd4f3677f2abbdaf1297d79efe37f1a980663aa5
SHA2569e576d0302b6e2a27b3b2e03300020c20a359b8201eb20ce5adede0a9f12675a
SHA512c2179066d0a2556f05b96ab5486e01b37431750f74ad97dac17cac9787445d52e266fd3024eacdda128a8e8ba65f49a9da87ba395d373d64f28c4ecc3bedb3ea
-
Filesize
1.6MB
MD5330c321024ec9e5156392ba8b8e85a3b
SHA141c5d8a7a016d59398520da17974569e9e700aed
SHA25691bff3c6164610f38a96c4fdbc5ae7315c0badbc499f1bf8bf111e7296e8e690
SHA5128fb9c3ac3a56201bdba13344a2b1c7bfab11f7964ae1b39094c4d68ead2b19e8245add32be99260b9473bedf2dbee39dcb70ccd1f28085ce3a48af7db5f5c292
-
Filesize
1.7MB
MD516b24166eb196aabe418b8d0d83aa60d
SHA18908b4ead1a791d185bc3af927ac6f194f8734d7
SHA256407c590b2f222dfc9424d0d8a65a76e4ed2ad3b8ba3b302d10ebcdaff787410a
SHA5121ac67c8f822a5069cb670f18d77259bd1effece7b7d326a528b1175d7df2fe3684c0eeae1393de94d309d90bb94f3472438674034277b2435db9ea6ac6eac5c3
-
Filesize
1.6MB
MD54da5da193e0e4f86f6f8fd43ef25329a
SHA168a44d37ff535a2c454f2440e1429833a1c6d810
SHA25618487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e
SHA512b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853
-
Filesize
50KB
MD5fd6054ccda68e02610b899cdc16d186b
SHA1f23d3f737991466d758caabe1dac0fa0977384f3
SHA2563e271de68ca66ec912976e347816ceecab7540e05a98b1d8d0690c662d65d2da
SHA512efe63d70fd7d454b57cdd4c2fe85ccd20cd6ab68cc6f990f2436f4f7a9083a2443e7868af513c55e9f1f865395a5262787e2b588ece13ff0cd10ae1146f050ad
-
Filesize
9KB
MD52987d40e46e1c0b1701e0fac75b141a5
SHA10ec7e21728fa7d950f1107be0aa7ae30696941c5
SHA256ce7d779c2671a33ede4c0313571733243b732a79330aed0ef9eabe129c38d6c0
SHA512613ce470b5334d7c0658c86180b17f3a9a79256a655f41de59d60bad46176f62a882b75f97a8314b0f077ca098c985b3633d8249a3ebb06e2517bfd51b0ef22b
-
Filesize
507KB
MD59495b07f33ded991c65d9b04945d44c5
SHA1db9d5ec47980eb0709faba0cda283ff99d643b7c
SHA256bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e
SHA51236ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815
-
Filesize
9KB
MD5f4cb6e0ad8de576f746e7121eb61c364
SHA1636dbc63fc48cace097d332055cb42c190e65984
SHA2561053e632d1f5e43d1db5d263e1bacc52d199f3acb3ab8ee26e7d505569de376d
SHA51293cef1a63616b8b651c790d2236640c99ed9cd03de1c606345d5d8d7b2b901758459b317c1c0a0811c622d88833336d46e2c0a2ca7d1619d8614f7a2f04fb617
-
Filesize
982KB
MD58a33495d8e72035488d6bfe0ce276202
SHA15acefd68888410407c01c72b985b973046a286ff
SHA256c9af2411972dd18e6842cc37caa61d60ba1e44160668109eba99b2be72d15c72
SHA512c39857654d88d047afe126da4e0ed4f29a473bde4f085f044e12fcde43e1e1d5787030a0bb761db32438133874fef5ce4c0870fe139b6efb13b8b80dd0972c05
-
Filesize
20.9MB
MD5283aa6dc39b6b9e4267a9f5bb620ab4d
SHA19daddab44c9182d51ea886110adb41fc90854f68
SHA256c3885de8c87ff9ddf33193bed64c5599ed161957f762245e6316b126b95f6d99
SHA5127d9929c6fc99115945dec89cd03e1f0da9dd26302e415fe28b62420ef4ef60a2bdeaf6ba8f97c4b0286a20553a9eefb4fcffacbf17650e052020ac9bbe15eeb0
-
Filesize
93KB
MD51a9cc11b7e7c3ea0a8683eff665e9b54
SHA12805aed696d065093bc4b9fa9f0b980b2fdbdfcc
SHA256e68a4d36e349f23cef88e00015aae8f3e896e79838a881f9d5fa2642bac7352e
SHA512cc6a34a9ac4cf5cf7b7c64bc603913b09ca3ec29b6a639a559200ad58d3d4dd66c73110a2581e848f361a0917d7060ec310104ff38e36c20049522d016c7d33a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize1KB
MD5fef0eb68d8155435755b8c45d6b18d8b
SHA17c672bcb826e3e6f07c8989d51e597a4921a1c69
SHA25689abe5399b376c2b29551c3ea389d0bfdc4f1d0661a47f8f4f646393c483ac60
SHA5125fa3cc1cbefafe64d2d675efe6f43eb49d07a789019d2dbeb45c8260217854e1b4eeb454f342299d3fa447174083a6bddf3e030ebc0cfa671b4d052bbfa86281
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
Filesize1KB
MD5f3934ff8d52196445395567b4429620e
SHA14c05f15c54354bceb9d8af2abf6e38c8fe83dbcc
SHA2561b6e340b1fc132be8281410189dd2de422f0ed0ef44f2eb046d826b5832417a4
SHA512e4ac00c30f65da63d31c9abd2ca1a4e96391a9d7353bff3be3213997b7934f57d041e490f3767ea804c05841f378f7c2f8046165fb57544f5e42225b81f557f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize532B
MD5fcaffe8520e8c4b2054818d74748678e
SHA13acd48837a2b768d2a15ee4325b3a517d1082049
SHA2569a08cce5ac92f7ba103eae069eb221e05da9d80df103593fa19011e0c3820916
SHA512ade41c93f9f761682b3b8e7de40b9906655334bac3738d83f13166e4717c8cb2c99e9d7ef730978b26e30bb5861f4cdbf0b20bf1f8f2b90397d86febbcf6a5e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
Filesize544B
MD54c742538538b113c0a1dfae630f2b92e
SHA1e8a8197ba34177cac9735f26a55aab18939ac2c4
SHA256cbbd0ab87795d92ff0b1dcdcfdd2dd0fb89068db0924f034364537f6f3b4cfb4
SHA512ff57435389ce9a2f9f9a86731b276c618a5da78376c05a9c5876d85f9b868323d4cfa39b7b37db5996b8a42d345db36c251de82802415081b62a8fdb7997a56d
-
Filesize
123B
MD517af548f88a3199aa8a63a72201f470f
SHA14e64bb20a2f54d778ed684aa21abebad63a5c2c0
SHA256a558dbe555749cd3bdd62060fdbba72720c4f4a186d5870b977ed2acf9721d9e
SHA51208bdbc75f5fd4d9ec85c53253e4030ce7245b20ecc95e032835609c7c43a07d6c9e7776f48c5494a788a543240c0649a9f1a34a0e514ebc4dda5730953647338
-
Filesize
221KB
MD5911aa8d08b7ccab654e897b0e4439354
SHA14f4f16048deae47a2ff5b9849042f62ec51794bc
SHA256ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b
SHA5128aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4
-
Filesize
384KB
MD5776851d4a843a0717892e075d03f46ce
SHA171158f473006c4bbe7c0a5e969c0b346e0c57ac8
SHA2563242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b
SHA51257130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa
-
Filesize
191.6MB
MD5b42d32a276b782d58420ec171789ed34
SHA1789505e6363e2fc9942e5b73df99884760273abf
SHA256704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839
SHA51263741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684
-
Filesize
59KB
MD5d42b83e5e46d7cc78baf0fc96c9eb676
SHA1f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8
SHA2561d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6
SHA512bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508
-
Filesize
52KB
MD50bc66dacfaa51cc1836424e3bec2a3f2
SHA1a4913f8b55ab23be811768bb654e3ee501c7b4ac
SHA256a64efa8dbf365c9f5db260047911d47cbf75cdb39cc21adb6b569644849ba1b7
SHA512f374987a8c15f901f9ec6a7b75fcc712a4313dd3c42dd05b8dc8f8b3d0e7a4c66f04bd640d90cf16078b73f8122e2ccce0d9f96ac9296842b353660a310b02ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe
Filesize14KB
MD507282ca770d5cc6fba8e0c1598c485f2
SHA1b7bb6f83b446f73499059d2e14cafba3fc09eb81
SHA256c7669bc86c8102ab2cec262de32ac4aca06e4904959c088d85440ae77b85ec36
SHA512845fd16f032fd40456d74f30045e688044b5d2b4014a06ec700fd0211ed4a2b9fbe53dc89ad8bd7f2407c0ce6cb12885f06185c56065672071d682b39716903b
-
Filesize
63KB
MD5384a729b4093250d9786013e15e9aa31
SHA1c7ebd3366e0b05b2eb0cd17a6a8354427436774c
SHA256e83ddd458b0433c98f4d13853cc88cf72fada6ffce6d56fcaca8e83bd76abfad
SHA512d6f70005e29e6e8b5c926d7fa4280ae1081c8c0626f74417a73fb81dd5522abab300dd7105f8842a2f41b8f036edacb4853bc6ca7be8f67e5da80ca9de9bc66e
-
Filesize
19KB
MD5e9027d5aa1ac489767470cdb9832928a
SHA1caf01ae8df91c704b9ec1752a90839b46c12bbfa
SHA256e6ebe531e297c6beb98418e0885b18cc148a8b26525041230f2a2cf09b964610
SHA5127db67149b626f0d5fc611d3c699ad76837003b402466da91a2a8a18ee44a2ae58648eb7c3eccf6802c4a2194776b6e2a6ba443601c34eaf52c273bbdb1476289
-
Filesize
23.7MB
MD5a76aca1b5f98f13019c9dfa0e920a0b0
SHA1c37aec0019a8a6107fc8c8703ded54bdc71d497a
SHA2569fb53d8391439f86f2a2d8389765f08a6979f13f31696eb0d47af3f4dc65d7aa
SHA512fc2aebcc3be601b3c00dcd29721c7190bdbf9f3c602d3cd236304d1a7cf48b9593405b859ac68911a5961dc9654b55a8a98006861c1107fc33c2ea8643195cd1
-
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e18bd059-aa86-44f0-9644-37c14dfee09e}_OnDiskSnapshotProp
Filesize6KB
MD57db8e58e3fa677dc80c56a7ef60b1a8d
SHA1430c14b2ca34e43408321ff31fd723cab1d1c0c4
SHA256443eccf5834c703b2cb505dea6828b77204ff35f1ae828af086aa689d9f07bb2
SHA5127b22e11a5580fd3d1db60a1e42c6193532a0b74e612deea183e7715dcaf8ddfc5a8c381cae8f07d6c8ea3dee2bfdf27d7f87b875da01732d3ec8e8049052092d