e01dd4833b60c7e32afdd7ec4d74ac962d32b3a798e96d88a0d9ea6ff81ee7f5

Analysis

max time kernel
600s
max time network
519s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driftaline-installer-v1.4.exe
Size

45.6MB
MD5

e834580b27ec84984ecb8aa14ba04fbe
SHA1

1a3a358aa2a22e58b24bdebbc6b70f67a2ab5736
SHA256

e01dd4833b60c7e32afdd7ec4d74ac962d32b3a798e96d88a0d9ea6ff81ee7f5
SHA512

dd80e5962bdd91d78224e2efbcc6b4f190a1e7c9300b92046f6e74bc74c65eab7cdf72a15bb1fefb798ae449d531e98f9285d8809d2b3d6fce2718b85e2f1685
SSDEEP

786432:pMw7sBmQ621PqS6xJHbm7plPf03W5/LASl2b9C4+aol+3pez78herbV13w7:GHtHVsIL83WtcO33fI8/8hY13

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\HidHide.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET4A9.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET4A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\vjoy.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET4AA.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET4AA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\hidkmdf.sys	DrvInst.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\M:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Q:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Y:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\S:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\T:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Z:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\R:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\N:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\W:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\P:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\L:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\V:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\E:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\O:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\S:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Y:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\T:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Z:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\X:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\K:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\A:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\B:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\K:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\M:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\P:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\J:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Q:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\A:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\G:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\H:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\I:	HidHide_1.2.128_x64.exe
File opened (read-only)	\??\V:	HidHide_1.2.128_x64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HidHide_1.2.128_x64.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\HidHide.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET352.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET394.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET362.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vJoy.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidhide.inf_amd64_c917ff59d737cec7\HidHide.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\vJoy.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET393.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\vjoy.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\HidHide.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\SETBB7C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\SETBB7C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\HidHide.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET394.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\vjoy.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	vJoyInstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\SETBB7D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidhide.inf_amd64_c917ff59d737cec7\HidHide.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidhide.inf_amd64_c917ff59d737cec7\HidHide.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET363.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET393.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\SETBB6B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\SETBB7D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidhide.inf_amd64_c917ff59d737cec7\HidHide.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET363.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET352.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\hidkmdf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c1198886-7ed6-4f4e-bed8-26a3fd089ff5}\SETBB6B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{12dea44c-0260-c94a-a5b3-1eb881555470}\SET362.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\hidkmdf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF	vJoyInstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\vJoy\is-69KQM.tmp	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\vJoyInstall.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\vJoyInterfaceWrap.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\msvcr120.dll	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-AUU9M.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-F7K4C.tmp	vJoySetup.tmp
File created	C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide\hidhide.cat	msiexec.exe
File opened for modification	C:\Program Files\Nefarius Software Solutions\HidHide\HidHide_Updater.ini	msiexec.exe
File opened for modification	C:\Program Files\vJoy\x86\msvcr110.dll	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-TBS2O.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-VEK84.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-04THO.tmp	vJoySetup.tmp
File created	C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe	msiexec.exe
File opened for modification	C:\Program Files\vJoy\x64\vJoyList.exe	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\vJoyMonitor.dll	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-55O76.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-FR2LB.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-1C6GO.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-JG4L5.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-81CD0.tmp	vJoySetup.tmp
File created	C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide\HidHide.inf	msiexec.exe
File created	C:\Program Files\Nefarius Software Solutions\HidHide\HidHide.man	msiexec.exe
File created	C:\Program Files\vJoy\x64\is-4TRHC.tmp	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\vJoyConf.exe	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-PE4UB.tmp	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\msvcr110.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\vGenInterface.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\mfc120u.dll	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-K1J8J.tmp	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\vJoyInstall.log	vJoyInstall.exe
File created	C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide.pdb	msiexec.exe
File opened for modification	C:\Program Files\vJoy\x86\vJoyInstall.dll	vJoySetup.tmp
File created	C:\Program Files\vJoy\is-V6ENG.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-QDN10.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-39SKL.tmp	vJoySetup.tmp
File created	C:\Program Files\Nefarius Software Solutions\HidHide\HidHide_Updater.exe	msiexec.exe
File opened for modification	C:\Program Files\vJoy\x64\mfc120u.dll	vJoySetup.tmp
File created	C:\Program Files\vJoy\is-EQCHQ.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-70PAK.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-DE3HM.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-UQL5E.tmp	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\vJoyInterfaceWrap.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\msvcp110.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\vGenInterface.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\vJoyConfig.exe	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-NULNU.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-LVM1M.tmp	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\WdfCoinstaller01009.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\vJoyInterface.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\msvcp120.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x64\JoyMonitor.exe	vJoySetup.tmp
File created	C:\Program Files\vJoy\is-4666H.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-OMRV1.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-AB30T.tmp	vJoySetup.tmp
File created	C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide\LICENSE.rtf	msiexec.exe
File opened for modification	C:\Program Files\vJoy\x64\mscorlib.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\vJoyMonitor.dll	vJoySetup.tmp
File created	C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe	msiexec.exe
File opened for modification	C:\Program Files\vJoy\x64\LBIndustrialCtrls.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\x86\LBIndustrialCtrls.dll	vJoySetup.tmp
File opened for modification	C:\Program Files\vJoy\vJoyInstall.exe	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-ALBM7.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x86\is-DTP4M.tmp	vJoySetup.tmp
File created	C:\Program Files\vJoy\x64\is-SH4JO.tmp	vJoySetup.tmp

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\e58b021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB11B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{48DD38C8-443E-4474-A249-AB32389E08F6}	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6ED.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB1F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB217.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vJoyInstall.exe
File opened for modification	C:\Windows\Installer\MSIB45C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8E3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\e58b021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2D3.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\e58b023.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	nefconw.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB3FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB70D.tmp	msiexec.exe
File created	C:\Windows\Installer\{48DD38C8-443E-4474-A249-AB32389E08F6}\Application.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{48DD38C8-443E-4474-A249-AB32389E08F6}\Application.exe	msiexec.exe

Executes dropped EXE 13 IoCs

pid	Process
384	driftaline-installer-v1.4.tmp
4392	HidHide_1.2.128_x64.exe
1084	HidHide_1.2.128_x64.exe
3836	nefconw.exe
400	nefconw.exe
4084	nefconw.exe
2424	nefconw.exe
4644	nefconw.exe
1612	vJoySetup.exe
4912	vJoySetup.tmp
4828	vJoyInstall.exe
3152	DriftAline.exe
4668	HidHideClient.exe

Loads dropped DLL 64 IoCs

pid	Process
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4392	HidHide_1.2.128_x64.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
1616	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	nefconw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	vJoyInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	vJoyInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	vJoyInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	nefconw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	vJoyInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	vJoyInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	nefconw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	nefconw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	nefconw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	vJoyInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	vJoyInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	nefconw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\HidHide_XBOX = "HidHide_1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\PackageCode = "A72114DDE728EC54BB11097215FF8131"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\HidHide_HID = "MainFeature"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\PackageName = "HidHide.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\HidHide_1 = "HidHide"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\C4FE6FD5B7C4D07B3A313E754A9A6A8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Nefarius Software Solutions\\HidHide 1.2.128\\install\\89E08F6\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\ProductName = "HidHide"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\07CC22885A2E7BC4F8412E171051A0D1\8C83DD84E34447442A94BA2383E9806F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\HidHide_XNA = "MainFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\Version = "16908416"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\ProductIcon = "C:\\Windows\\Installer\\{48DD38C8-443E-4474-A249-AB32389E08F6}\\Application.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8C83DD84E34447442A94BA2383E9806F\HidHide = "MainFeature"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\07CC22885A2E7BC4F8412E171051A0D1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\Net\1 = "C:\\ProgramData\\Nefarius Software Solutions\\HidHide 1.2.128\\install\\89E08F6\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C83DD84E34447442A94BA2383E9806F\SourceList\Media	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3152	DriftAline.exe
3960	vlc.exe
3648	WINWORD.EXE
3648	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
384	driftaline-installer-v1.4.tmp
384	driftaline-installer-v1.4.tmp
4820	msiexec.exe
4820	msiexec.exe
4912	vJoySetup.tmp
4912	vJoySetup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3960	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4820	msiexec.exe
Token: SeCreateTokenPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeAssignPrimaryTokenPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeLockMemoryPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeIncreaseQuotaPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeMachineAccountPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeTcbPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSecurityPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeTakeOwnershipPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeLoadDriverPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSystemProfilePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSystemtimePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeProfSingleProcessPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeIncBasePriorityPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreatePagefilePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreatePermanentPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeBackupPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeRestorePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeShutdownPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeDebugPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeAuditPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSystemEnvironmentPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeChangeNotifyPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeRemoteShutdownPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeUndockPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSyncAgentPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeEnableDelegationPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeManageVolumePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeImpersonatePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreateGlobalPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreateTokenPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeAssignPrimaryTokenPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeLockMemoryPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeIncreaseQuotaPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeMachineAccountPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeTcbPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSecurityPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeTakeOwnershipPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeLoadDriverPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSystemProfilePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSystemtimePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeProfSingleProcessPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeIncBasePriorityPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreatePagefilePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreatePermanentPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeBackupPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeRestorePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeShutdownPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeDebugPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeAuditPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSystemEnvironmentPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeChangeNotifyPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeRemoteShutdownPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeUndockPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeSyncAgentPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeEnableDelegationPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeManageVolumePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeImpersonatePrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreateGlobalPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeCreateTokenPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeAssignPrimaryTokenPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeLockMemoryPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeIncreaseQuotaPrivilege	4392	HidHide_1.2.128_x64.exe
Token: SeMachineAccountPrivilege	4392	HidHide_1.2.128_x64.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
384	driftaline-installer-v1.4.tmp
4392	HidHide_1.2.128_x64.exe
4392	HidHide_1.2.128_x64.exe
4912	vJoySetup.tmp
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe
3960	vlc.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
3152	DriftAline.exe
4668	HidHideClient.exe
4668	HidHideClient.exe
3960	vlc.exe
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 384	736	driftaline-installer-v1.4.exe	83
PID 736 wrote to memory of 384	736	driftaline-installer-v1.4.exe	83
PID 736 wrote to memory of 384	736	driftaline-installer-v1.4.exe	83
PID 384 wrote to memory of 4392	384	driftaline-installer-v1.4.tmp	100
PID 384 wrote to memory of 4392	384	driftaline-installer-v1.4.tmp	100
PID 384 wrote to memory of 4392	384	driftaline-installer-v1.4.tmp	100
PID 4820 wrote to memory of 4560	4820	msiexec.exe	104
PID 4820 wrote to memory of 4560	4820	msiexec.exe	104
PID 4820 wrote to memory of 4560	4820	msiexec.exe	104
PID 4392 wrote to memory of 1084	4392	HidHide_1.2.128_x64.exe	106
PID 4392 wrote to memory of 1084	4392	HidHide_1.2.128_x64.exe	106
PID 4392 wrote to memory of 1084	4392	HidHide_1.2.128_x64.exe	106
PID 4820 wrote to memory of 4668	4820	msiexec.exe	110
PID 4820 wrote to memory of 4668	4820	msiexec.exe	110
PID 4820 wrote to memory of 4952	4820	msiexec.exe	112
PID 4820 wrote to memory of 4952	4820	msiexec.exe	112
PID 4820 wrote to memory of 4952	4820	msiexec.exe	112
PID 4820 wrote to memory of 1616	4820	msiexec.exe	113
PID 4820 wrote to memory of 1616	4820	msiexec.exe	113
PID 4820 wrote to memory of 1616	4820	msiexec.exe	113
PID 4820 wrote to memory of 3836	4820	msiexec.exe	114
PID 4820 wrote to memory of 3836	4820	msiexec.exe	114
PID 4820 wrote to memory of 400	4820	msiexec.exe	115
PID 4820 wrote to memory of 400	4820	msiexec.exe	115
PID 888 wrote to memory of 372	888	svchost.exe	117
PID 888 wrote to memory of 372	888	svchost.exe	117
PID 888 wrote to memory of 4296	888	svchost.exe	118
PID 888 wrote to memory of 4296	888	svchost.exe	118
PID 4820 wrote to memory of 4084	4820	msiexec.exe	119
PID 4820 wrote to memory of 4084	4820	msiexec.exe	119
PID 4820 wrote to memory of 2424	4820	msiexec.exe	120
PID 4820 wrote to memory of 2424	4820	msiexec.exe	120
PID 4820 wrote to memory of 4644	4820	msiexec.exe	121
PID 4820 wrote to memory of 4644	4820	msiexec.exe	121
PID 384 wrote to memory of 1612	384	driftaline-installer-v1.4.tmp	123
PID 384 wrote to memory of 1612	384	driftaline-installer-v1.4.tmp	123
PID 384 wrote to memory of 1612	384	driftaline-installer-v1.4.tmp	123
PID 1612 wrote to memory of 4912	1612	vJoySetup.exe	124
PID 1612 wrote to memory of 4912	1612	vJoySetup.exe	124
PID 1612 wrote to memory of 4912	1612	vJoySetup.exe	124
PID 4912 wrote to memory of 4828	4912	vJoySetup.tmp	132
PID 4912 wrote to memory of 4828	4912	vJoySetup.tmp	132
PID 888 wrote to memory of 4296	888	svchost.exe	134
PID 888 wrote to memory of 4296	888	svchost.exe	134
PID 888 wrote to memory of 4248	888	svchost.exe	135
PID 888 wrote to memory of 4248	888	svchost.exe	135
PID 888 wrote to memory of 1588	888	svchost.exe	137
PID 888 wrote to memory of 1588	888	svchost.exe	137
PID 384 wrote to memory of 3152	384	driftaline-installer-v1.4.tmp	139
PID 384 wrote to memory of 3152	384	driftaline-installer-v1.4.tmp	139

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\driftaline-installer-v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\driftaline-installer-v1.4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\is-PM3SU.tmp\driftaline-installer-v1.4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PM3SU.tmp\driftaline-installer-v1.4.tmp" /SL5="$A0044,46977792,785920,C:\Users\Admin\AppData\Local\Temp\driftaline-installer-v1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe" /norestart
    3⤵
    - Enumerates connected drives
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe" /i "C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\HidHide.msi" /norestart AI_EUIMSI=1 APPDIR="C:\Program Files\Nefarius Software Solutions\HidHide" SECONDSEQUENCE="1" CLIENTPROCESSID="4392" CHAINERUIPROCESSID="4392Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,HidHide_1,C4FE6FD5B7C4D07B3A313E754A9A6A8,HidHide_HID,HidHide,HidHide_XNA,HidHide_XBOX" PRIMARYFOLDER="APPDIR" REBOOT="ReallySuppress" ROOTDRIVE="F:\" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming" AI_FOUND_PREREQS="Visual C++ Redistributable for Visual Studio 2015-2022 x64" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1716577505 /norestart " TARGETDIR="F:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe"
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      PID:1084
- - C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\vJoySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\vJoySetup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\is-ORR46.tmp\vJoySetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ORR46.tmp\vJoySetup.tmp" /SL5="$2023C,10728610,983552,C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\vJoySetup.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Program Files\vJoy\vJoyInstall.exe
        
        "C:\Program Files\vJoy\vJoyInstall.exe" Q
        5⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:4828
- - C:\Users\Admin\AppData\Local\Programs\DriftAline\DriftAline.exe
    "C:\Users\Admin\AppData\Local\Programs\DriftAline\DriftAline.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 479BE94A5FE5C035A9D7A741FEFB3AFD C
  2⤵
  - Loads dropped DLL
  PID:4560
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0104AC7D1049117B9AC649203F49371F
  2⤵
  - Loads dropped DLL
  PID:4952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9FD10EDE83B5036A187F66994A5F1298 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1616
- C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
  "C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --create-device-node --hardware-id root\HidHide --class-name System --class-guid 4D36E97D-E325-11CE-BFC1-08002BE10318
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
  "C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --install-driver --inf-path "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide\HidHide.inf"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:400
- C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
  "C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 745a17a0-74d3-11d0-b6fe-00a0c90f57da
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
  "C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid d61ca365-5af4-4486-998b-9db4734c6ca3
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe
  "C:\Program Files\Nefarius Software Solutions\HidHide\x64\nefconw.exe" --add-class-filter --position upper --service-name HidHide --class-guid 05f5cfe2-4733-4950-a6bb-07aad01a3a84
  2⤵
  - Executes dropped EXE
  PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{02df166b-8a8a-c74e-a43c-5e4cfdd0cb04}\HidHide.inf" "9" "49f2aa4cb" "0000000000000138" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHide"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:372
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "201" "ROOT\SYSTEM\0001" "C:\Windows\System32\DriverStore\FileRepository\hidhide.inf_amd64_c917ff59d737cec7\hidhide.inf" "oem3.inf:*:*:1.2.98.0:root\HidHide," "49f2aa4cb" "0000000000000170"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4296
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{19a412f1-756b-744a-bc50-51744cacd816}\vjoy.inf" "9" "49e52482b" "0000000000000178" "WinSta0\Default" "00000000000000B8" "208" "c:\program files\vjoy"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4296
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:b2fe4818a00a2e82:vjoy.Inst.Win7:12.53.21.621:root\vid_1234&pid_bead&rev_0219," "49e52482b" "0000000000000178"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4248
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "201" "HID\HIDCLASS\1&2D595CA7&0&0000" "C:\Windows\INF\input.inf" "input.inf:741f41b50e5da60b:HID_Raw_Inst:10.0.19041.868:hid_device_system_game," "4070ed7cf" "0000000000000154"
  2⤵
  - Drops file in Windows directory
  PID:1588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x2c8
1⤵
PID:2572

C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe
"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StepGet.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Recently.docx" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58b022.rbs

Filesize
222KB

MD5
14344aff987a61b8ebf4edeab2af289c

SHA1
942afe0514b337cc586d30ea60c51e99fcb0b8b1

SHA256
e8d3ee5e27c96a6e31f8b6347478ce74d8e91c81a9116b7ef00c4acc9051e04f

SHA512
bbe3fc57fdd372e2f90ac890dc85df6ae7e710ed03313db9e8c936a3641542c3ae8c3eb28212734aac9261d0a3e02011f23013deb507cc8456726073a164e6ee

Download Submit
C:\Program Files\Nefarius Software Solutions\HidHide\HidHide_Updater.ini

Filesize
115B

MD5
f6850c398a27b2a50c221ebff02b1e8e

SHA1
b146a3643e952dd3a7e33063e3190106eeb47f7d

SHA256
64402f9cf5162af3cf4bdb0ace3c59ff664f374a824cefd05e8509e9a5d53556

SHA512
97252df37e054779cde6d4eb6c42c8c0359a7eac5eb20d82efa1862034488e4f4d09cf00a3ad9dabcb47a4fbedba25bd042e7d633d78c7a6d33070b5aa4b03a9

Download Submit
C:\Program Files\Nefarius Software Solutions\HidHide\HidHide_Updater.ini

Filesize
244B

MD5
1dfcf7c8c02072a32167d6eaad0ce61f

SHA1
f018a3ec0da47dc55ed75545b467c12e313521d5

SHA256
c4fe31e143cdb2474e5f98b818cfa38e0f7924c2e019568ef6f39c900e1f00bd

SHA512
d3eeee2bdb8af188d41e04f43315aa95522e4dfa7c9e3fda080d339f6421a33d00b719eba816d02715b2db22231799c736c63b53e63990e2b9a035dd47941b0d

Download Submit
C:\Program Files\vJoy\x64\LBIndustrialCtrls.dll

Filesize
40KB

MD5
74fd55b0a678af4d4df0f8e291630f7a

SHA1
b5bbb0601c83b72e5178a0688fc55e96e48e53b9

SHA256
7bc7422dafa1272f9c528a6fb2195a6e0f0816178bbe841cbac2e916b71f58e8

SHA512
5b86b3dfc3e5d463215cb623b64abff8393d1136598f4a02056fc57e9dbe43126c0f81feb3a9a0a0fe01c9a75800c2a769aed55a2d19ee7f13f4953e6978aaaf

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\HidHide.man

Filesize
7KB

MD5
44a87f5e549297750048d850ab11db29

SHA1
e4792161077652247f37f48058d4206af6a9e176

SHA256
b31b1a14cc5812492556b0ce84a2872c76d93ab0dd0778dffa60ffb04a86b8d7

SHA512
2b005891c8febeb36739f0ae9537062994d8f56ecbb6dbea403659892fbfc66fd13b6d4121f1ce691fef57757d8da3485e43fd99cbe31c6e0c168964f23599e9

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\HidHide.msi

Filesize
2.9MB

MD5
5bffe356a0f3419367edbf2f71e1d6f7

SHA1
372b09b2e61bc8d374ceeb0ece47968256d24e42

SHA256
13b1b29666d0beacf1d3bea8d4d1b503e9c746b5612196b62b52f91a5929fecc

SHA512
e8da11a5501e8624ec9f4b33eb78586aeca5d832bd214090111ed828aa0c5d484c4770a1374f5704de3930b2c1855f2befa4d48f3c39874103e26ac4e03c8c7e

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\HidHide_Updater.exe

Filesize
1.2MB

MD5
e3bb24792d2570b26f7448f3bd3fcbd1

SHA1
cc8f33863a1370270adce72df64a944c38dad4b2

SHA256
b3c14fd2a708f1307541286376a068288de8e4b337f79d362b465b6e4a5d2f29

SHA512
28a9e67fc4f55babbf79db76eee7bf5ef8e7ed4cac9273dd76f5eb5c057635fd0b6d103122429d706cda180cd160cf004cb1be02eb6e0e26a5c21d5d90e9b620

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHide.pdb

Filesize
780KB

MD5
36b45e6bcc51edf9b71d207776593149

SHA1
a3cd45d39504f86dedfb3675aa2e4fff552dfdf4

SHA256
1269e403b260f4a275d22a29f16adff0660ed078e0045e1e3cd127407f2dcb3c

SHA512
8fb707d06bc8ddafbf94ca09c1c9fbd1e100b99effd88987bf9c152e99d56a755355bbb66ac0f207a8b26883f65e25f283ca64bebf995d629d6c235fc7170260

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHideCLI.exe

Filesize
192KB

MD5
e9f89f48a7676428e2c90d258d8e1790

SHA1
9a863c0d1d2ca213fbe56bc1955fce8de6540469

SHA256
8e320bd27b49f2d104f77e80fd69bc1eaa6ccde1710dd983305e07aa1a3d96be

SHA512
4a302aae81e93de4c219ac492786d1e444d1a43af235e5f6e51f3d9475e11e22c3accf002ab3ac62444994cce14ee55554391607ac367e15041ce698075d5032

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHideClient.exe

Filesize
272KB

MD5
83f124a2f3945d3454bbe51b36402ae1

SHA1
a11595d3eb15d04ef447cdd9b5a741592e1fba27

SHA256
f2cf662412d054ea54d5376d640226c114055ea63e87adffbe304ebcdad8c1ee

SHA512
3700be5b5ad5ce25ba246cdbd651109fd902ff8d6453c30c80011061748b96b4a32da3a57b699559f3b4961c2c6b43fb074e025bb00c656d9d57cefee95e5435

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHide\HidHide.inf

Filesize
6KB

MD5
866507e7bf4ef5361e23683726ab060d

SHA1
9f76d6d95f3ad25343c4c2b8f8e0432bb63e598d

SHA256
0e613f042efcb7d3ed8fd294ae4eae99c6a6238080a3e090703a7326e6edcb17

SHA512
11b63ecf0777bd89629719a85842cea688a11efc18816bba1f442e9e49f179db047069a66cde227dda4ee68bd296a606d6860ae4a59a44aefe8463ec366260b6

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHide\HidHide.sys

Filesize
65KB

MD5
49ecca5008e20be8375ff476d240180b

SHA1
4d771f18cf09b49cdba0340cea1f8bd6d11b92fa

SHA256
5a134c195f7a4e557d3ec7c979259af01168c4d052c7192affae7578cea75e58

SHA512
62819fee4243209fcf6d3c900acefca3bc6abe40c6b262dde0f185285c2ec92925e9caf2442e94ecdf9ed01bc500dffc2e09b0e3d68f495295d2655811c8b60d

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHide\LICENSE.rtf

Filesize
5KB

MD5
fde778d9a7f0494af21bc7d96be7911f

SHA1
6821a29fc5c87523747198d3dfaac3c1e1228a89

SHA256
6503c1faf3aa6d8ca3c336d6ff4c409470ff5030d724007c6baa6809c9ee9823

SHA512
af09b9eaae0d19a579cbf55bef43c4d5421052544fd72cbaa91245b1c778eab58ce19465fb2e12a112da4b65bf5c1c486617c22c0c356ed37f744553ce71ac5d

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\HidHide\hidhide.cat

Filesize
11KB

MD5
f2d70dc20d2771a0d539c9057cd5d8db

SHA1
ad5e53d18c03c9655e25f69f6608936b6f227479

SHA256
0e188060bab8438649f349760890d46992aa3b5c4e552397b8f389f78c7d8d67

SHA512
843edd07ade90f15389bd5be1dffe9e6a107d6f76c54e2b90929bb16eca65de77e2b2140d13322b1731d5bce09631ad971fa69cf343393cf592c29c07809986a

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\install.cmd

Filesize
534B

MD5
f9cc0c87778c22d5ef3771dd8e4d654e

SHA1
b3d01cd5d8788a7d957f34a480b623db5afba56c

SHA256
e67286e3a77fef32f0b9500a68ef06737e40352167b74d8bf3e876cc70f84f48

SHA512
82ec740780bf1cd2cc88b4cfd196746bdb71ae2e5019b934720d820fb43cee674d65f482e5f2dbc7ca2c399a87da671c045ec46071f8cd1b9e2d7d77940baa27

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\nefconw.exe

Filesize
543KB

MD5
af20fa87b198cd7246e9a9ad0f2df24d

SHA1
fe4409df16996daee6deaf29041c59899f055f98

SHA256
1482fa240cad984e02206427f1eb211e62c9a44b058484fc3e83ccb5b1a1fbca

SHA512
4a10d213bc3c8ddf665eedd6f9b4bd59b470f8121f001c04fec8b9dca5ac30af2f7f704f573d2cc564bfbe6f1fa7e3312c0dee1566a76fe4a6707c47609177f5

Download Submit
C:\ProgramData\Nefarius Software Solutions\HidHide 1.2.128\install\89E08F6\x64\uninstall.cmd

Filesize
540B

MD5
a70ac3050e9a2c19e23c2c156fb2f0b6

SHA1
c06359fc40e0b7c9911b55650300b3bf6724d61b

SHA256
41c117393b0c82625a4b05a7ae647e5bbcc350c791b2849fc25bf0bacd6f2d3b

SHA512
a0c398bc9e455e85dbc1d023f4296de55be13c0327c0095eaa2dbbde61d9655150263df1891ebb3c7ed1f7c3a93e6cf1be2c306aeeb29788c3e6f2d5d329e8ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
eb70fdabc44d02c195091a1853febd7c

SHA1
9917bd660a81f66cb2ab0e46d01504f9400e5886

SHA256
c044ce4eaf9f787c9cc8e82e20b98e5b59286d9693a20bf4252ebbe231472d47

SHA512
0bc6678c00ce56c6309e1c50ba374fcabd70988a518ba92f91aef41e85b225d72506d3f8be34c65bf587be2faf7d7c767e9886b05bf1d7f2f9972199f5c0f382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2

Filesize
727B

MD5
847bc340b373c38b187e06ccd0fee383

SHA1
273acbd3d4b2ffeccd77f75fd70b3e3de54b8aa9

SHA256
4ab98cad92f230443ca99df91bd2a62e641695d5bfc84bd487c44e8a8fac706e

SHA512
9dd361ad652dfb56d1d2bdc8c885f101ef447717362e22b16efa4d6ce4a0474e6bb4b5340ae74b316b0063f999599e805be3200766cff22e11442b2148dca8c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
149404eb1e65ff0e5e984fd71af5f94f

SHA1
6a2b28cb5822050a9089679af2333bc3a55a305e

SHA256
77bac021a249a7d44ea5046b2f6b62e3830e0a485320c02720c5573e8fd2feb7

SHA512
3b85bfbdf38acd54df7edd15fdf74b91ec9bbe33a34637d4ce5353af5e6614967261e55299b941df64ac14375d0739cdd72254d13862497a255c31b46f71304c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
11b228eea1ea71407c224f5c9edd4386

SHA1
b637cc61ea853be3ba63eb1fa1e1aafa1ef5e7fd

SHA256
c6906603a83c34526d0f824ba1766ce72661ca18d9c9b5e33586fb224ffc20a9

SHA512
fe728eebd6821aa2ee5cfca34a209c230294cb47e990708641f9883be43219d3986fb211102985dc0e111b35740debdf08d510dd890ff59668d3bb9343a87d70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_35E9AC8BDBFF76B8DAD6DDAFD42E3BC2

Filesize
408B

MD5
c7c4178684a8963af9b29b7b8d233d27

SHA1
cc20353e7d7b3b58faf1f69dea544eda4ec74b29

SHA256
27d94311bdab1ee3a461402857896443a7cd148006b27708846f0f9e10f9f87a

SHA512
9fcc0d858267045d0a79f7a1f1d9d58d08f90ef9f4d96b242d1b653e4c0456316ea9a7c09f451c02d90e1adb648f955c2dbf466d34c1814c23a7a17d949e12da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
b7f9e39e6d2041c09b39cb0998047638

SHA1
2fd9c28be8e0eec81261d7065ecf7179c59fd01e

SHA256
11949a839756555ae2ffd2ecee51274a12f0dd3bc89b43b7faa7db143c14c8d9

SHA512
3158ed1596f62c244c85f2c1fc4696474e6336369dd6c1843709f54af7ff48c0911e857f15d3e09562c035cb0e743f564535d875985920970190c89d6181fa72

Download Submit
C:\Users\Admin\AppData\Local\Programs\DriftAline\DriftAline.exe

Filesize
7.2MB

MD5
da4de3499c8e3c2acce56350f187b0e3

SHA1
de5af357358059caa07438165d098d50dd94ad6b

SHA256
36b20dd2249b9ab83a8aab58dc832ac59eb57d0d9cd3887db4e8ecf3c3633d64

SHA512
9cff1fcd0cee715b8afae7cd97943f56a6a6710b32aece01b40a0c1de1efb8e4db7def9acb65fe9246cd96de1278cfa8d7189973371664aa37847bbb18e4a01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4392\banner.jpg

Filesize
4KB

MD5
d5a55a78cd38f45256807c7851619b7d

SHA1
9d8269120d1d096e9ab0192348f3b8f81f5f73d9

SHA256
be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc

SHA512
959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4392\dialog.jpg

Filesize
12KB

MD5
5f6253cff5a8b031bfb3b161079d0d86

SHA1
7645b13610583fb67247c74cf5af08ff848079e7

SHA256
36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0

SHA512
d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9EF.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDDE.tmp

Filesize
709KB

MD5
16427fa171bd703839d252c580c42cd0

SHA1
268ec6c390d5fba3af0d3ca55ecfc65d9e232906

SHA256
1e84a4da22cb64ab037afa6ca184e080463dd870d6db2f42dda2414fd2311caf

SHA512
52e2b47b6f461d85a689243c89c91151cd643952cd64fa0efb00522a4de3d4ffefd09adbeb524ed664b9da0fd141ebcd5a12d780debd79741626183ae837c77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA74D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3LBEU.tmp\HidHide_1.2.128_x64.exe

Filesize
5.0MB

MD5
691ae25161f0e2784cb6d0a75777221c

SHA1
7ca68ee089ea766eb333bf7039f6dba4006cfb1f

SHA256
285394f26359b66011462c36976636d3f203a83de6ebd5dff8980b602312470d

SHA512
3d251ac708a8a145a6d40053f34081a2732f3aa860b6bf527b99f5d9501078f1d82ea3bbe58048917ad289b8db20ddd104cca942b4dc77f6ec64348f45dd3d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PM3SU.tmp\driftaline-installer-v1.4.tmp

Filesize
3.0MB

MD5
991b8ec32f0412218e3e12cb656aa0c7

SHA1
511b173b3593bb320e68c40d26ddefa6ce3b7d91

SHA256
61c5946ca041a5940342ce78a7c40fa3727914f7448bfcdfd1b996d440d779e2

SHA512
a090f8f96c7d476905ad27bec553a5fe01808bd36ce7e9f400febd78212b41a2d5cba8e7f0dace5304191a15089138180a396f3a91308d4477ec4a236b37642f

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi71B0.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{19a412f1-756b-744a-bc50-51744cacd816}\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
5cb42a31e35004ad81e5e89092adf3bc

SHA1
afdd47f3a2ec58f15abb2626e1233f5e356e8908

SHA256
44812fe5fe3b848d7d592278382c7c0370eba3115a9bd7f8db22efb89d1ed2b3

SHA512
328b35bb2b4963abc01602e2f0a78bf540c12e055bea3990d346e06edf53b5682c3387b6f86fbcf8552e2714c9d3ae6db28ca2a37a2bceb9db7e97076e932c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{19a412f1-756b-744a-bc50-51744cacd816}\hidkmdf.sys

Filesize
26KB

MD5
bffc21f44b02fbdd4a09c445db87ec59

SHA1
f7ca5a2d0b2eb9ecaf75cbfcc73eeb65889490c8

SHA256
8668f69c256baff9422ac9b3ab77448c21b5043547920591148b152cb3afb0d2

SHA512
87ee090ed4581650a491df30e26da5420ae4d6a83d178ae9e0b0ca419e367a5f31424df407d0fab55a78f2300a712c66c62ef15425e44ae5bd8100f790fbda78

Download Submit
C:\Users\Admin\AppData\Local\Temp\{19a412f1-756b-744a-bc50-51744cacd816}\vJoy.cat

Filesize
11KB

MD5
fb06e77f7c7bc0902d416c079c32d6a3

SHA1
b75aee99d492d84e83cc5ddba4791b8d2a570e7a

SHA256
784ea14d897c88be331d5c129d254a3a09add3d47066ad2879adecef3f00c97d

SHA512
1d0299593a0ce9ec23784b52602475ddea6e1b86dd3a02173061fdd9b724627265a3d6f8f08fd955615b972e9887111158fb86125c0dfde3659b4854294b66cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{19a412f1-756b-744a-bc50-51744cacd816}\vjoy.inf

Filesize
10KB

MD5
731f3d80f2296e3e13f4335885fa2556

SHA1
27e8a4a8eb907b1b1c8b720ef02a45bf9b1c6124

SHA256
33fe32886a8bf72769c3e4991265546c3d1cca9247dbb661f23f7f82362226a4

SHA512
b154c375f49934c1858646e9e750fcb7b06d6c453f61d283bb5ee5d2fe509f887d796d722d8fb7084734ee178549a33a85b23d012dc9bcd5c74136700dc4ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{19a412f1-756b-744a-bc50-51744cacd816}\vjoy.sys

Filesize
65KB

MD5
cc63b7e91816e5001fe79a840916f1c9

SHA1
63ff46f8b85bc29e298ef2ac7a434ff2df49918e

SHA256
297f9c12df8bd91640439c0bf7fe1ee391bbd01d330f5e1604a29c4669977774

SHA512
58fdcec81b6cff4e0d3a44ca93cfe1d86d8849afd0dd31af3a0d6e94483b5492a0f4729b3a0996084b56d4f5584166c4902abe195784ac7c2584489d699f0e48

Download Submit
C:\Windows\Installer\MSIB70D.tmp

Filesize
206KB

MD5
876fc2e1cf29c863f798bf0400e1dc70

SHA1
edc5628bda4968ac8d68a6d8569db2a279307ed0

SHA256
d22d7e952c0f412059aabe6ffb5ab6aa16512faf4f92c0aaed399039c2c2ae5c

SHA512
c3d9bcc862553f0cfc6713fda040b831169870ca775096ebad080def83f30e35a587c0b30aee1de214cf723b57da0f948d60bb6e01576cf3be7def9ac49de7ad

Download Submit
memory/384-2109-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-11-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-1837-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-6-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-2394-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-8-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-740-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/384-13-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/736-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/736-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/736-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1612-2112-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1612-2103-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1612-2300-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/3152-2332-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2338-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2303-0x000001FA01790000-0x000001FA01BD0000-memory.dmp

Filesize
4.2MB

Download
memory/3152-2311-0x000001FA029A0000-0x000001FA029A1000-memory.dmp

Filesize
4KB

Download
memory/3152-2310-0x000001FA029A0000-0x000001FA029A1000-memory.dmp

Filesize
4KB

Download
memory/3152-2312-0x000001FA029A0000-0x000001FA029A1000-memory.dmp

Filesize
4KB

Download
memory/3152-2315-0x000001FA04F40000-0x000001FA04F41000-memory.dmp

Filesize
4KB

Download
memory/3152-2321-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2320-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2318-0x000001FA04F40000-0x000001FA04F41000-memory.dmp

Filesize
4KB

Download
memory/3152-2317-0x000001FA04F40000-0x000001FA04F41000-memory.dmp

Filesize
4KB

Download
memory/3152-2316-0x000001FA04F40000-0x000001FA04F41000-memory.dmp

Filesize
4KB

Download
memory/3152-2302-0x00007FF9D1C30000-0x00007FF9D2171000-memory.dmp

Filesize
5.3MB

Download
memory/3152-2340-0x000001FA04FB0000-0x000001FA04FB1000-memory.dmp

Filesize
4KB

Download
memory/3152-2339-0x000001FA04FB0000-0x000001FA04FB1000-memory.dmp

Filesize
4KB

Download
memory/3152-2305-0x000001FA01BD0000-0x000001FA01DD0000-memory.dmp

Filesize
2.0MB

Download
memory/3152-2337-0x000001FA04FB0000-0x000001FA04FB1000-memory.dmp

Filesize
4KB

Download
memory/3152-2335-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2334-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2333-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2323-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2331-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2330-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2329-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2328-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2327-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2326-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2325-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/3152-2324-0x000001FA04F80000-0x000001FA04F81000-memory.dmp

Filesize
4KB

Download
memory/4912-2299-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/4912-2113-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download