51f152320b13eeb19538420087a5221e704f03acf7aebcb96751a51d762c8e5d

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PerfectCam Service = "\"C:\\Program Files\\CyberLink\\PerfectCam\\PerfectCamService.exe\" /s"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PerfectCam = "\"C:\\Program Files\\CyberLink\\PerfectCam\\PerfectCam.exe\" /prelaunch"	setup.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	setup.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	setup.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	PerfectCam_2.3.7124.0_Subscription_PFC231124-01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WDExclusionPathTool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	PerfectCam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	GDPRDlg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	CLUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	CLUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Trial.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\clwvdpfc.inf_amd64_97bdd61df69f18f6\clwvdpfc.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\SETDD02.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\SETDD03.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\SETDD03.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\clwvdpfc.inf_amd64_97bdd61df69f18f6\clwvdPFC.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\clwvdpfc.inf_amd64_97bdd61df69f18f6\clwvdpfc.PNF	CLDrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\SETDD04.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\SETDD04.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\clwvdPFC.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\SETDD02.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\clwvdpfc.inf_amd64_97bdd61df69f18f6\clwvdPFC.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\clwvdPFC.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f3b1330f-c4eb-044f-a71d-1a83fb38f7eb}\clwvdpfc.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\Palatte\colorPalette_skintone_f.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\STD_main\setting\fix_h.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\OLRSubmission\Skin\200\textedit_01.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Promotion\image\btn1.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\CLUpdater\Language\CHT\CLUpdater.xml	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\subsys\YouCam\ImageWrapper.dll	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\libraryPage\scale\scale_control_h.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\libraryPage\scale\scale_graduation_d.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\subsys\YouCam\tensorflow.dll	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\seekbar\Bg_btn_check.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\PerfectCam Presets\Makeup\eyeshadow\eyeshadow_160601_Summer_look_03_d.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\UI\Presentation\thememgr.kc	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Driver\Win8\x64\	setup.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\about\about_htmlview_bg.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\IM_main\btn\btn1_R_n.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\OLRSubmission\Skin\150\closebtn.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\PerfectCam Presets\Makeup\eyeline\01_03_01.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Template	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\SetupCameraDlg\btn_Next_h.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\STD_main\splash\PFC2_splash_FK_00044.jpg	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\top\max_icon_h.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Boomerang\Language\Deu\BoomerangRC.dll	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\BackgroundFilter\CPU\Clair.dll	setup.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\BackgroundFilter\CPU\inference_engine.dll	setup.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Common\Media\button\tab_hl_n.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Common\Media\scrollbar2\vert\scrolbar_control_g.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\STD_main\fileRoom\btn_bottom_panel_g.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\STD_main\fileRoom\btn_middle_panel_g.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\top\btn_upgrade_h.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\CLUpdater\Skin\150\checkbox-SG.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\UI\Webcam\LibraryPage\MonthItem.kc	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Lang\ITA\IM.dll	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Common\Media\checkbox	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\Activate\bg_activation.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\PerfectCam Presets\Makeup\eyebrow\150428_12.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\PerfectCam Presets\Makeup\eyeshadow\02_03_02.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\UI\Webcam\Palatte\__init__.kc	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\OLRSubmission\REGrt_ESP.dll	7z.exe
File created	C:\Program Files\CyberLink\Shared files\language\eti\EffectExtractor.dll	setup.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Common\Media\scrollbar\btn_vscroll_thumb_h.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\playback\btn_pause_h.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\UI\Webcam\EULADeclineConfirmDlg.kc	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Boomerang\Language\Sve\BoomerangRC.dll	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Driver\Win10\x64\clwvdPFC.sys	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\ShareFiles\Share\language\rom\EffectExtractor.dll	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Layout\LibraryPage\LibraryTopPanel.bkml	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\libraryPage\button\btn_back_p.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\libraryPage\button\btn_share_n.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\Palatte\delete_h.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Profile\WMV Best Quality.prx	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\CLUpdater\Language\DEU\CLUpdater.xml	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\subsys\YouCam\tensorflow.dll	setup.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Layout\common\CheckButton2WithText.bkml	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\IM_main\bg.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\OLRSubmission\Skin\skin_CDKey.xml	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\subsys\SplashWnd\PySplashWnd.kc	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\libraryPage\scale\scale_control_n.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\STD_main\panel\button\panel_l_arrow_h2.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\UI\Utils\mathutils.kc	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\koan\python27.dll	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\libraryPage\thumbnail\months_photo.png	7z.exe
File created	C:\Program Files\CyberLink\PerfectCam\Driver\Win8.1\x64\clwvdPFC.inf	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\SetupCameraDlg\SkyForBusiness\pic_CameraSetting_SkyForBusiness_01.png	7z.exe
File opened for modification	C:\Program Files\CyberLink\PerfectCam\Custom\Skin\Standard\Webcam\Media\STD_main\setting\fix_d.png	7z.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\c_media.PNF	CLDrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	CLDrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 23 IoCs

pid	Process
1400	setup.exe
3620	7z.exe
3908	7z.exe
4308	7z.exe
1312	WDExclusionPathTool.exe
8	CLDrvInst.exe
4432	PerfectCamService.exe
3612	TaskScheduler.exe
884	PerfectCam.exe
1056	OLRStateCheck.exe
3448	GDPRDlg.exe
1372	GpuUtilityEx.exe
4640	GpuUtilityEx.exe
932	GpuUtilityEx.exe
3692	OLRStateCheck.exe
1676	OLRStateCheck.exe
3600	OLRStateCheck.exe
4068	CLUpdater.exe
236	OLRStateCheck.exe
4980	CLUpdater.exe
1752	Trial.exe
3140	Trial.exe
1960	Trial.exe

Loads dropped DLL 64 IoCs

pid	Process
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
3620	7z.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
3908	7z.exe
4308	7z.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
3860	Regsvr32.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe

Registers COM server for autorun 1 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 62 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	CLDrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	CLDrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	CLDrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	CLDrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	CLDrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	CLDrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	PerfectCam.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	PerfectCam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PerfectCam.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PerfectCam.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	PerfectCam.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	PerfectCam.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PerfectCam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	PerfectCam.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	PerfectCam.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\Trial = 00000000000000000000000000000000	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mklk\ = "PerfectCam2.0mklkfile"	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\Spend = 00000000000000000000000000000000	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\ = "WDM Analog Crossbar"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\ = "WDM TV Audio"	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\TrialRunBefore = 01000000	Trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C2A113C9F8AA80438683B11388357C4\PackageCode = "3E0E8C4F9D07F8A4B9348B556F03A326"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\version = "2.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A802-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming TV Audio Devices"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{19689BF6-C384-48FD-AD51-90E58C79F70B}\FriendlyName = "WDM Streaming Encoder Devices"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PerfectCam2.0mklkfile\shell\Open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PerfectCam2.0mklkfile\DefaultIcon\ = "C:\\Program Files (x86)\\CyberLink\\Shared files\\EffectExtractor.exe,7"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\9C2A113C9F8AA80438683B11388357C4	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\ = "Analog Crossbar Property Page"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PerfectCam2.0mklkfile\shell\ = "Open"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\ = "WDM TV Tuner"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\ = "TV Tuner Property Page"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PerfectCam2.0mklkfile\shell\Open\ = "@C:\\Program Files\\CyberLink\\PerfectCam\\MUITransfer\\Resource.dll,-109"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PerfectCam2.0mklkfile\shell\Open\command\ = "\"C:\\Program Files (x86)\\CyberLink\\Shared files\\EffectExtractor.exe\" \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{A799A800-A46D-11d0-A18C-00A02401DCD4}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A800-A46D-11d0-A18C-00A02401DCD4}\CLSID = "{A799A800-A46D-11d0-A18C-00A02401DCD4}"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{19689BF6-C384-48FD-AD51-90E58C79F70B}	DrvInst.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PerfectCam2.0mklkfile	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{A799A802-A46D-11d0-A18C-00A02401DCD4}	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\Install Date = e807040002001000090011000b00e701	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{19689BF6-C384-48FD-AD51-90E58C79F70B}\CLSID = "{19689BF6-C384-48FD-AD51-90E58C79F70B}"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}	Trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A800-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming TV Tuner Devices"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming Crossbar Devices"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\ = "TV Audio Property Page"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\Trial = e8070400020010000900110021002d02	Trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}\CLSID = "{A799A801-A46D-11d0-A18C-00A02401DCD4}"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}\CLSID = "{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mklk	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PerfectCam2.0mklkfile\DefaultIcon	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}\Live = 01000000	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PerfectCam2.0mklkfile\ = "mklk File"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AB454181-DF07-47DF-9C31-C577A3E0B5CC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}\FriendlyName = "WDM Streaming Multiplexer Devices"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PerfectCam2.0mklkfile\shell\Open	setup.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	setup.exe

Runs .reg file with regedit 1 IoCs

pid	Process
240	Regedit.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
2520	powershell.exe
2520	powershell.exe
3184	powershell.exe
3184	powershell.exe
1052	powershell.exe
1052	powershell.exe
1956	powershell.exe
1956	powershell.exe
3192	powershell.exe
3192	powershell.exe
4868	powershell.exe
4868	powershell.exe
4864	powershell.exe
4864	powershell.exe
4312	powershell.exe
4312	powershell.exe
3496	powershell.exe
3496	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3620	7z.exe
Token: 35	3620	7z.exe
Token: SeSecurityPrivilege	3620	7z.exe
Token: SeSecurityPrivilege	3620	7z.exe
Token: SeRestorePrivilege	3908	7z.exe
Token: 35	3908	7z.exe
Token: SeSecurityPrivilege	3908	7z.exe
Token: SeSecurityPrivilege	3908	7z.exe
Token: SeRestorePrivilege	4308	7z.exe
Token: 35	4308	7z.exe
Token: SeSecurityPrivilege	4308	7z.exe
Token: SeSecurityPrivilege	4308	7z.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeAuditPrivilege	1964	svchost.exe
Token: SeSecurityPrivilege	1964	svchost.exe
Token: SeLoadDriverPrivilege	8	CLDrvInst.exe
Token: SeRestorePrivilege	3908	DrvInst.exe
Token: SeBackupPrivilege	3908	DrvInst.exe
Token: SeLoadDriverPrivilege	3908	DrvInst.exe
Token: SeLoadDriverPrivilege	3908	DrvInst.exe
Token: SeLoadDriverPrivilege	3908	DrvInst.exe
Token: SeIncreaseQuotaPrivilege	3272	WMIC.exe
Token: SeSecurityPrivilege	3272	WMIC.exe
Token: SeTakeOwnershipPrivilege	3272	WMIC.exe
Token: SeLoadDriverPrivilege	3272	WMIC.exe
Token: SeSystemProfilePrivilege	3272	WMIC.exe
Token: SeSystemtimePrivilege	3272	WMIC.exe
Token: SeProfSingleProcessPrivilege	3272	WMIC.exe
Token: SeIncBasePriorityPrivilege	3272	WMIC.exe
Token: SeCreatePagefilePrivilege	3272	WMIC.exe
Token: SeBackupPrivilege	3272	WMIC.exe
Token: SeRestorePrivilege	3272	WMIC.exe
Token: SeShutdownPrivilege	3272	WMIC.exe
Token: SeDebugPrivilege	3272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3272	WMIC.exe
Token: SeRemoteShutdownPrivilege	3272	WMIC.exe
Token: SeUndockPrivilege	3272	WMIC.exe
Token: SeManageVolumePrivilege	3272	WMIC.exe
Token: 33	3272	WMIC.exe
Token: 34	3272	WMIC.exe
Token: 35	3272	WMIC.exe
Token: 36	3272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3272	WMIC.exe
Token: SeSecurityPrivilege	3272	WMIC.exe
Token: SeTakeOwnershipPrivilege	3272	WMIC.exe
Token: SeLoadDriverPrivilege	3272	WMIC.exe
Token: SeSystemProfilePrivilege	3272	WMIC.exe
Token: SeSystemtimePrivilege	3272	WMIC.exe
Token: SeProfSingleProcessPrivilege	3272	WMIC.exe
Token: SeIncBasePriorityPrivilege	3272	WMIC.exe
Token: SeCreatePagefilePrivilege	3272	WMIC.exe
Token: SeBackupPrivilege	3272	WMIC.exe
Token: SeRestorePrivilege	3272	WMIC.exe
Token: SeShutdownPrivilege	3272	WMIC.exe
Token: SeDebugPrivilege	3272	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4432	PerfectCamService.exe
3448	GDPRDlg.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4432	PerfectCamService.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
884	PerfectCam.exe
884	PerfectCam.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1400	setup.exe
3620	7z.exe
3908	7z.exe
4308	7z.exe
1312	WDExclusionPathTool.exe
8	CLDrvInst.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
4432	PerfectCamService.exe
3612	TaskScheduler.exe
884	PerfectCam.exe
884	PerfectCam.exe
884	PerfectCam.exe
4068	CLUpdater.exe
4068	CLUpdater.exe
4980	CLUpdater.exe
4980	CLUpdater.exe
1752	Trial.exe
1752	Trial.exe
1752	Trial.exe
1752	Trial.exe
3140	Trial.exe
1960	Trial.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 1400	3188	PerfectCam_2.3.7124.0_Subscription_PFC231124-01.exe	92
PID 3188 wrote to memory of 1400	3188	PerfectCam_2.3.7124.0_Subscription_PFC231124-01.exe	92
PID 3188 wrote to memory of 1400	3188	PerfectCam_2.3.7124.0_Subscription_PFC231124-01.exe	92
PID 1400 wrote to memory of 3620	1400	setup.exe	96
PID 1400 wrote to memory of 3620	1400	setup.exe	96
PID 1400 wrote to memory of 3620	1400	setup.exe	96
PID 1400 wrote to memory of 3908	1400	setup.exe	100
PID 1400 wrote to memory of 3908	1400	setup.exe	100
PID 1400 wrote to memory of 3908	1400	setup.exe	100
PID 1400 wrote to memory of 4308	1400	setup.exe	102
PID 1400 wrote to memory of 4308	1400	setup.exe	102
PID 1400 wrote to memory of 4308	1400	setup.exe	102
PID 1400 wrote to memory of 2520	1400	setup.exe	104
PID 1400 wrote to memory of 2520	1400	setup.exe	104
PID 1400 wrote to memory of 2520	1400	setup.exe	104
PID 1400 wrote to memory of 3184	1400	setup.exe	107
PID 1400 wrote to memory of 3184	1400	setup.exe	107
PID 1400 wrote to memory of 3184	1400	setup.exe	107
PID 1400 wrote to memory of 1052	1400	setup.exe	109
PID 1400 wrote to memory of 1052	1400	setup.exe	109
PID 1400 wrote to memory of 1052	1400	setup.exe	109
PID 1400 wrote to memory of 1956	1400	setup.exe	111
PID 1400 wrote to memory of 1956	1400	setup.exe	111
PID 1400 wrote to memory of 1956	1400	setup.exe	111
PID 1400 wrote to memory of 3192	1400	setup.exe	113
PID 1400 wrote to memory of 3192	1400	setup.exe	113
PID 1400 wrote to memory of 3192	1400	setup.exe	113
PID 1400 wrote to memory of 4868	1400	setup.exe	115
PID 1400 wrote to memory of 4868	1400	setup.exe	115
PID 1400 wrote to memory of 4868	1400	setup.exe	115
PID 1400 wrote to memory of 4864	1400	setup.exe	119
PID 1400 wrote to memory of 4864	1400	setup.exe	119
PID 1400 wrote to memory of 4864	1400	setup.exe	119
PID 1400 wrote to memory of 4312	1400	setup.exe	121
PID 1400 wrote to memory of 4312	1400	setup.exe	121
PID 1400 wrote to memory of 4312	1400	setup.exe	121
PID 1400 wrote to memory of 3496	1400	setup.exe	123
PID 1400 wrote to memory of 3496	1400	setup.exe	123
PID 1400 wrote to memory of 3496	1400	setup.exe	123
PID 1400 wrote to memory of 3860	1400	setup.exe	125
PID 1400 wrote to memory of 3860	1400	setup.exe	125
PID 1400 wrote to memory of 3860	1400	setup.exe	125
PID 1400 wrote to memory of 240	1400	setup.exe	127
PID 1400 wrote to memory of 240	1400	setup.exe	127
PID 1400 wrote to memory of 1312	1400	setup.exe	128
PID 1400 wrote to memory of 1312	1400	setup.exe	128
PID 1312 wrote to memory of 4308	1312	WDExclusionPathTool.exe	130
PID 1312 wrote to memory of 4308	1312	WDExclusionPathTool.exe	130
PID 4308 wrote to memory of 2684	4308	cmd.exe	132
PID 4308 wrote to memory of 2684	4308	cmd.exe	132
PID 1400 wrote to memory of 8	1400	setup.exe	133
PID 1400 wrote to memory of 8	1400	setup.exe	133
PID 1964 wrote to memory of 2708	1964	svchost.exe	136
PID 1964 wrote to memory of 2708	1964	svchost.exe	136
PID 1964 wrote to memory of 3908	1964	svchost.exe	137
PID 1964 wrote to memory of 3908	1964	svchost.exe	137
PID 1400 wrote to memory of 4432	1400	setup.exe	139
PID 1400 wrote to memory of 4432	1400	setup.exe	139
PID 1400 wrote to memory of 4432	1400	setup.exe	139
PID 1400 wrote to memory of 3612	1400	setup.exe	140
PID 1400 wrote to memory of 3612	1400	setup.exe	140
PID 1400 wrote to memory of 3612	1400	setup.exe	140
PID 884 wrote to memory of 1056	884	PerfectCam.exe	142
PID 884 wrote to memory of 1056	884	PerfectCam.exe	142

C:\Users\Admin\AppData\Local\Temp\PerfectCam_2.3.7124.0_Subscription_PFC231124-01.exe
"C:\Users\Admin\AppData\Local\Temp\PerfectCam_2.3.7124.0_Subscription_PFC231124-01.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SupportFiles.7z" -o"C:\ProgramData\SUPPORTDIR\20240416_91637_1400" -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3620
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data1.7z" -o"C:\Program Files\CyberLink\PerfectCam" -aoa
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data2.7z" -o"C:\Program Files\CyberLink\PerfectCam" -aoa
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd4FD6.tmp\tempfile.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- - C:\Windows\SysWOW64\Regsvr32.exe
    "C:\Windows\SysWOW64\Regsvr32.exe" /s "C:\Program Files\CyberLink\PerfectCam\REGX.dll"
    3⤵
    - Loads dropped DLL
    PID:3860
- - C:\Windows\Regedit.exe
    "C:\Windows\Regedit.exe" /s "C:\Program Files\CyberLink\PerfectCam\default.reg"
    3⤵
    - Runs .reg file with regedit
    PID:240
- - C:\Program Files\CyberLink\PerfectCam\WDExclusionPathTool\x64\WDExclusionPathTool.exe
    "C:\Program Files\CyberLink\PerfectCam\WDExclusionPathTool\x64\WDExclusionPathTool.exe" -Add "C:\Program Files\CyberLink\PerfectCam"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /NOCONSOLE /C PowerShell Add-MpPreference -ExclusionPath "\"C:\Program Files\CyberLink\PerfectCam\""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell Add-MpPreference -ExclusionPath "\"C:\Program Files\CyberLink\PerfectCam\""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
- - C:\Program Files\CyberLink\PerfectCam\Driver\CLDrvInst.exe
    "C:\Program Files\CyberLink\PerfectCam\Driver\CLDrvInst.exe" install "C:\Program Files\CyberLink\PerfectCam\Driver\clwvdPFC.inf" root\clwvdPFC
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:8
- - C:\Program Files\CyberLink\PerfectCam\PerfectCamService.exe
    "C:\Program Files\CyberLink\PerfectCam\PerfectCamService.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4432
- - C:\ProgramData\SUPPORTDIR\20240416_91637_1400\TaskScheduler.exe
    "C:\ProgramData\SUPPORTDIR\20240416_91637_1400\TaskScheduler.exe" "C:\Program Files\CyberLink\PerfectCam\PerfectCam.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{16eadabe-51fe-1346-a70a-8e5eeee03b80}\clwvdpfc.inf" "9" "4eb50072f" "00000000000000E8" "WinSta0\Default" "0000000000000158" "208" "c:\program files\cyberlink\perfectcam\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2708
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:dac64d37d9d525a7:clwvd.NTamd64:2.4.35409.10522:root\clwvdpfc," "4eb50072f" "00000000000000E8"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Registers COM server for autorun
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3908

C:\Program Files\CyberLink\PerfectCam\PerfectCam.exe
"C:\Program Files\CyberLink\PerfectCam\PerfectCam.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe
  "C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe" /UnoPath:C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\UNO.dll /IsRegister
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Program Files\CyberLink\PerfectCam\GDPRDlg\GDPRDlg.exe
  "C:\Program Files\CyberLink\PerfectCam\GDPRDlg\GDPRDlg.exe" -a"C:\Program Files\CyberLink\PerfectCam\APReg.url" -m"C:\Program Files\CyberLink\PerfectCam\MUITransfer\Resource.dll" -l"ENU"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3448
- C:\Program Files\CyberLink\PerfectCam\GpuUtilityEx.exe
  GpuUtilityEx.exe GetMultiDeviceVendors_D3D9 0
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Program Files\CyberLink\PerfectCam\GpuUtilityEx.exe
  GpuUtilityEx.exe QueryNVidiaCapability 0
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Program Files\CyberLink\PerfectCam\GpuUtilityEx.exe
  GpuUtilityEx.exe QueryNVidiaKeplerCapability 0
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic PATH Win32_videocontroller GET *
  2⤵
  PID:2260
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_videocontroller GET *
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe
  "C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe"/UnoPath:C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\UNO.dll,/LANG:ENU
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe
  "C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe" /UnoPath:C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\UNO.dll /IsRegister
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe
  "C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe" /UnoPath:C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\UNO.dll /IsRegister
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\CLUpdater.exe
  "CLUpdater.exe" C:\Users\Admin\AppData\Local\Temp\CLUpdater.ini
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4068
- C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe
  "C:\Program Files\CyberLink\PerfectCam\OLRSubmission\OLRStateCheck.exe" /UnoPath:C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\UNO.dll /IsRegister
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Program Files\CyberLink\PerfectCam\subsys\BigBang\Runtime\CLUpdater.exe
  "CLUpdater.exe" C:\Users\Admin\AppData\Local\Temp\CLUpdater.ini
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "Trial\Trial.exe "/LANG:ENU /SIGNIN""
  2⤵
  PID:3112
- - C:\Program Files\CyberLink\PerfectCam\Trial\Trial.exe
    Trial\Trial.exe "/LANG:ENU /SIGNIN"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1752
- C:\Program Files\CyberLink\PerfectCam\Trial\Trial.exe
  Trial\Trial.exe /EXPIRED_CHECKING
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "Trial\Trial.exe "/LANG:ENU /SIGNIN""
  2⤵
  PID:1820
- - C:\Program Files\CyberLink\PerfectCam\Trial\Trial.exe
    Trial\Trial.exe "/LANG:ENU /SIGNIN"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1960

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8f011ca798c1438683b3c5ccfbaa6a7f /t 4508 /p 1752
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery