7e86ee2b25f878cdeba22b0aa54c9220784eacc3254cc87316a9e897870acfcc

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Driver_Daruma_S700.exe
Size

2.9MB
MD5

1cfce8394154d228e41ad27c6f7c95b1
SHA1

8327060ec76507d23310a2c5d5e13754d8fbf3b3
SHA256

c40a8fc908bde7b50e0c2ba23b777dc5fa7eb443db08566cc36ef1576dcbf06b
SHA512

d916dd5d11b43683cad0410f450bd9444fa7f15e2a75134c466e1722d0248a29d2373a2686075c300e614b969f9862c78627df1c4a876ecd97eb5703c23cd1ed
SSDEEP

49152:uySX1qHfDjV5TZDCilpuPLwkJIF6ur6540W5/2pU79RhdTz07shjRhGPSWxldQOX:u51q/DH1DVlpCTJII6926DTzJjRhGlik

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CD8C55DF694A51603CB0B9EF796E4E94960AB2F1\Blob = 030000000100000014000000cd8c55df694a51603cb0b9ef796e4e94960ab2f120000000010000006402000030820260308201cda0030201020210b5fe690aa55201af4614488133b2bd22300906052b0e03021d0500303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c4142301e170d3133313032333133333332305a170d3339313233313233353935395a303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c414230819f300d06092a864886f70d010101050003818d0030818902818100c49386d1a793c38c6f1983c78fb8f1fcb05c72c1782f9f3088d6e4c5013f69fae79e0971ca3368b6eebf72fe3aa6d077dc007ab8e8a4b2bcef3a87ab26f090eb32669574cce1a5426b19871ad8d7009a53a58b2d4b15463959e191fbddd6a9acbea59533c8b81f8a6935550bc93ab218841190b6774ebb2ea36913e70b3f9d710203010001a36f306d306b0603551d01046430628010208ea3524462f1c5747879fefad8bf60a13c303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c41428210b5fe690aa55201af4614488133b2bd22300906052b0e03021d0500038181004a6172956f43ae42cfa92ee2eee83662a4abf4b47c9847a5e8e8f58637997f139a3617ccc3a94c39bf23a7866363c7862e3176541b4c5f62974c2c279814d4144f148f8d8bea22932a51444ed2a5df9df159b1ddecc8ab339c26f70d0da3e63c417985bc3bf9f5de5bea3248f790e045664670535da15fb6886a0517e78ec696	CertMgr64.Exe

Executes dropped EXE 9 IoCs

pid	Process
2536	CertMgr64.Exe
2184	CertMgr64.Exe
1840	unrar.exe
1792	pnputil.exe
2396	pnputil.exe
2116	unrar.exe
2708	unrar.exe
2728	dpinst-x64-multi.exe
1192	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe
2748	cmd.exe

Drops file in System32 directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\ftser2k.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\ftd2xx64.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET946.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\SET959.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET957.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\SETACA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\SETACC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\SETACE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\ftdibus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\i386\SET95A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\ftcserco.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_neutral_0a3c2df775f027fe\ftdibus.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\ftbusui.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\ftdibus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\SET958.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\SETACD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\SETACB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\SETACD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\ftdiport.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET944.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET957.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET944.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\i386	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\ftserui2.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\SETACE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\SET958.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\i386\ftd2xx.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	pnputil.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\SETACB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\ftdiport.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\SETACA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\ftdibus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\SET959.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\i386\SET95A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET945.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_neutral_0174995d0b71bf25\ftdiport.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET945.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\SET946.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_neutral_0174995d0b71bf25\ftdiport.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_neutral_0a3c2df775f027fe\ftdibus.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	pnputil.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04168c4e-1a21-7d75-a3a2-676c5c7b1a33}\amd64\SETACC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3305cdbe-bc2d-4fb5-0e6f-8049bb279f75}\amd64\FTLang.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst-x64-multi.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CD8C55DF694A51603CB0B9EF796E4E94960AB2F1	CertMgr64.Exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CD8C55DF694A51603CB0B9EF796E4E94960AB2F1\Blob = 030000000100000014000000cd8c55df694a51603cb0b9ef796e4e94960ab2f120000000010000006402000030820260308201cda0030201020210b5fe690aa55201af4614488133b2bd22300906052b0e03021d0500303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c4142301e170d3133313032333133333332305a170d3339313233313233353935395a303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c414230819f300d06092a864886f70d010101050003818d0030818902818100c49386d1a793c38c6f1983c78fb8f1fcb05c72c1782f9f3088d6e4c5013f69fae79e0971ca3368b6eebf72fe3aa6d077dc007ab8e8a4b2bcef3a87ab26f090eb32669574cce1a5426b19871ad8d7009a53a58b2d4b15463959e191fbddd6a9acbea59533c8b81f8a6935550bc93ab218841190b6774ebb2ea36913e70b3f9d710203010001a36f306d306b0603551d01046430628010208ea3524462f1c5747879fefad8bf60a13c303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c41428210b5fe690aa55201af4614488133b2bd22300906052b0e03021d0500038181004a6172956f43ae42cfa92ee2eee83662a4abf4b47c9847a5e8e8f58637997f139a3617ccc3a94c39bf23a7866363c7862e3176541b4c5f62974c2c279814d4144f148f8d8bea22932a51444ed2a5df9df159b1ddecc8ab339c26f70d0da3e63c417985bc3bf9f5de5bea3248f790e045664670535da15fb6886a0517e78ec696	CertMgr64.Exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CD8C55DF694A51603CB0B9EF796E4E94960AB2F1	CertMgr64.Exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CD8C55DF694A51603CB0B9EF796E4E94960AB2F1\Blob = 030000000100000014000000cd8c55df694a51603cb0b9ef796e4e94960ab2f120000000010000006402000030820260308201cda0030201020210b5fe690aa55201af4614488133b2bd22300906052b0e03021d0500303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c4142301e170d3133313032333133333332305a170d3339313233313233353935395a303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c414230819f300d06092a864886f70d010101050003818d0030818902818100c49386d1a793c38c6f1983c78fb8f1fcb05c72c1782f9f3088d6e4c5013f69fae79e0971ca3368b6eebf72fe3aa6d077dc007ab8e8a4b2bcef3a87ab26f090eb32669574cce1a5426b19871ad8d7009a53a58b2d4b15463959e191fbddd6a9acbea59533c8b81f8a6935550bc93ab218841190b6774ebb2ea36913e70b3f9d710203010001a36f306d306b0603551d01046430628010208ea3524462f1c5747879fefad8bf60a13c303a313830360603550403132f446172756d612054656c65636f6d756e696361636f6573206520496e666f726d617469636120532f41202d204c41428210b5fe690aa55201af4614488133b2bd22300906052b0e03021d0500038181004a6172956f43ae42cfa92ee2eee83662a4abf4b47c9847a5e8e8f58637997f139a3617ccc3a94c39bf23a7866363c7862e3176541b4c5f62974c2c279814d4144f148f8d8bea22932a51444ed2a5df9df159b1ddecc8ab339c26f70d0da3e63c417985bc3bf9f5de5bea3248f790e045664670535da15fb6886a0517e78ec696	CertMgr64.Exe

Runs .reg file with regedit 1 IoCs

pid	Process
2520	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	dpinst-x64-multi.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	1792	pnputil.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2556	DrvInst.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	2396	pnputil.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe
Token: SeRestorePrivilege	1032	DrvInst.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2748	2424	Driver_Daruma_S700.exe	28
PID 2424 wrote to memory of 2748	2424	Driver_Daruma_S700.exe	28
PID 2424 wrote to memory of 2748	2424	Driver_Daruma_S700.exe	28
PID 2424 wrote to memory of 2748	2424	Driver_Daruma_S700.exe	28
PID 2748 wrote to memory of 2572	2748	cmd.exe	30
PID 2748 wrote to memory of 2572	2748	cmd.exe	30
PID 2748 wrote to memory of 2572	2748	cmd.exe	30
PID 2748 wrote to memory of 2572	2748	cmd.exe	30
PID 2748 wrote to memory of 2520	2748	cmd.exe	31
PID 2748 wrote to memory of 2520	2748	cmd.exe	31
PID 2748 wrote to memory of 2520	2748	cmd.exe	31
PID 2748 wrote to memory of 2520	2748	cmd.exe	31
PID 2748 wrote to memory of 2536	2748	cmd.exe	32
PID 2748 wrote to memory of 2536	2748	cmd.exe	32
PID 2748 wrote to memory of 2536	2748	cmd.exe	32
PID 2748 wrote to memory of 2536	2748	cmd.exe	32
PID 2748 wrote to memory of 2184	2748	cmd.exe	33
PID 2748 wrote to memory of 2184	2748	cmd.exe	33
PID 2748 wrote to memory of 2184	2748	cmd.exe	33
PID 2748 wrote to memory of 2184	2748	cmd.exe	33
PID 2748 wrote to memory of 1840	2748	cmd.exe	34
PID 2748 wrote to memory of 1840	2748	cmd.exe	34
PID 2748 wrote to memory of 1840	2748	cmd.exe	34
PID 2748 wrote to memory of 1840	2748	cmd.exe	34
PID 2748 wrote to memory of 1792	2748	cmd.exe	35
PID 2748 wrote to memory of 1792	2748	cmd.exe	35
PID 2748 wrote to memory of 1792	2748	cmd.exe	35
PID 2748 wrote to memory of 1792	2748	cmd.exe	35
PID 2748 wrote to memory of 2396	2748	cmd.exe	37
PID 2748 wrote to memory of 2396	2748	cmd.exe	37
PID 2748 wrote to memory of 2396	2748	cmd.exe	37
PID 2748 wrote to memory of 2396	2748	cmd.exe	37
PID 2748 wrote to memory of 2116	2748	cmd.exe	39
PID 2748 wrote to memory of 2116	2748	cmd.exe	39
PID 2748 wrote to memory of 2116	2748	cmd.exe	39
PID 2748 wrote to memory of 2116	2748	cmd.exe	39
PID 2748 wrote to memory of 2708	2748	cmd.exe	40
PID 2748 wrote to memory of 2708	2748	cmd.exe	40
PID 2748 wrote to memory of 2708	2748	cmd.exe	40
PID 2748 wrote to memory of 2708	2748	cmd.exe	40
PID 2748 wrote to memory of 2728	2748	cmd.exe	41
PID 2748 wrote to memory of 2728	2748	cmd.exe	41
PID 2748 wrote to memory of 2728	2748	cmd.exe	41
PID 2748 wrote to memory of 2728	2748	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\Driver_Daruma_S700.exe
"C:\Users\Admin\AppData\Local\Temp\Driver_Daruma_S700.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\638.tmp\Driver_Daruma_S700.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\638.tmp\\usbfixaporta.reg
    3⤵
    - Runs .reg file with regedit
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\CertMgr64.Exe
    C:\Users\Admin\AppData\Local\Temp\638.tmp\\CertMgr64.exe -add C:\Users\Admin\AppData\Local\Temp\638.tmp\\Certificado_Daruma.cer -s -r localMachine ROOT
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\CertMgr64.Exe
    C:\Users\Admin\AppData\Local\Temp\638.tmp\\CertMgr64.exe -add C:\Users\Admin\AppData\Local\Temp\638.tmp\\Certificado_Daruma.cer -s -r localMachine TrustedPublisher
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\unrar.exe
    C:\Users\Admin\AppData\Local\Temp\638.tmp\\unrar.exe x -y C:\Users\Admin\AppData\Local\Temp\638.tmp\\padrao.rar
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\pnputil.exe
    pnputil.exe -a C:\Users\Admin\AppData\Local\Temp\638.tmp\\padrao\ftdibus.inf
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\pnputil.exe
    pnputil.exe -a C:\Users\Admin\AppData\Local\Temp\638.tmp\\padrao\ftdiport.inf
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\unrar.exe
    C:\Users\Admin\AppData\Local\Temp\638.tmp\\unrar.exe x -y C:\Users\Admin\AppData\Local\Temp\638.tmp\\i386.rar
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\unrar.exe
    C:\Users\Admin\AppData\Local\Temp\638.tmp\\unrar.exe x -y C:\Users\Admin\AppData\Local\Temp\638.tmp\\amd64.rar
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\638.tmp\dpinst-x64-multi.exe
    C:\Users\Admin\AppData\Local\Temp\638.tmp\\dpinst-x64-multi.exe /lm /f /d
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2728

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{74ef8c64-5cae-2869-3591-e77bd81eba77}\ftdibus.inf" "9" "6cea93dfb" "0000000000000594" "WinSta0\Default" "0000000000000558" "208" "C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{75bc9f6f-9479-2877-0312-7d1f8048254f}\ftdiport.inf" "9" "64fe66217" "0000000000000558" "WinSta0\Default" "0000000000000590" "208" "C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\638.tmp\CertMgr64.Exe

Filesize
70KB

MD5
28eeb55526f9d07226c3c494e8371d05

SHA1
c9adf8ae8d938679992ddc1a4d1fe1a8bba61fe5

SHA256
061304cae07a913f85d62a2d4d3a04c1c2505c972d6d3186e3d3811a2d9d5b38

SHA512
7154922457da73266d514fd10f56e77537bd49ddc5a3da9b8d65d41fe0e58acbf59c9c9be461ca23e218caac11f75ce633e0c0ffcb9819488d2626e94c2d97db

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\Certificado_Daruma.cer

Filesize
612B

MD5
dbe1e7b4d0006308fed2b614dfaa781e

SHA1
cd8c55df694a51603cb0b9ef796e4e94960ab2f1

SHA256
36fc1ddfb1317cdf456e010760694273a1ebb96510052178f57f8823b7b2a886

SHA512
1dd26cd7b5a866987583bd69410eac875227b80c3c9f03d7dd6a6ea3a92b9d0aea512db891f38d10373533c4cbf23d9bccd8f57731d364301c1f7fe16b074bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\DarumaFrameWork.dll

Filesize
2.3MB

MD5
410b71cfe249e67db50c4f038671dc1d

SHA1
dcb9c53dad6f27b93402ba600784c8dd7180412e

SHA256
22f11664800cc10cc3554fe61e6ec7fdbf6403aab128e7ef5dd5eaf58813370f

SHA512
268f8a056bd51efaefcc361e5dfdad136441a6db4c15d7ebd749b45ffdf4d903e606af07843891e20126bc4380f2998579066ba81551912ac28e76c6d9791947

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\DarumaFramework.exe

Filesize
550KB

MD5
e8981b6e3c62cb47ca596608cc23199c

SHA1
07084ddb2409f793f219562c3985b055ac31ddc5

SHA256
b5cb20206c50c2a0c87c2ed83f25d886b6a0656235a85b71d7d1f2ac2ea04015

SHA512
e33d4e109c5917558db2b73415c2844dcc952a6f2753aa03e8028426d79b38b7bc8f82181d512c3beefd0d1d949520df659a082e03f48f3cfa603f5a99c82b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\Driver_Daruma_S700.bat

Filesize
15KB

MD5
3e6f710620cba8fc05181014eccd6b2e

SHA1
8350ecb30dbf454dd273d76fb6085bc40c3b3e27

SHA256
2332e623a7d0195c12650164b96df18e11329e415751412c537987308362b9fd

SHA512
766fef8bb3d389cc9662d60c8ef02d17295c917edda36cc98ccb51640ac4d212bc562abd7f912259272dae21ebcf0106fddc8545dd4bb5c06934e84ae819f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\Logo_Daruma.bmp

Filesize
9KB

MD5
583b7e477ac0ae25b87fe8f3e3b4b126

SHA1
f487909829eb558164a6fda523e4a15d10f469d3

SHA256
5a127043fc5834645edffb41d3d565a1453ca1152efe105ecae8c11aaa69b699

SHA512
c33dd0091bb89960c77daf8f6ee4eab80b703d44879abcfe14fdd0ab9ac41627f8bffd1a2fdf0179d9531d87336c762b921862bdbb1b42764cb7bfdac3097708

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\Magua_Daruma.bmp

Filesize
206KB

MD5
2f1263b5caa444f78bb113a60d67b61f

SHA1
b3f91e97b6bf12f6b9f0eed5342cf8d2fa67914c

SHA256
aab9a24f7af85b43cee7103614caa9e392693e03d040ce73d2357ba48907c37f

SHA512
376c5bea0dfc1e4b82abd0e0c50fb0592c52286ae7f4ee06e275df5011cbda52c0799cdde912d880bad4b557ec98b1b659d3f32756794e1c5bff3e9e700630cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\amd64.rar

Filesize
345KB

MD5
0c79062b43111f0a36530babb59f07c0

SHA1
c8611885a000cf63ae4a55ba8df27656c15a17c5

SHA256
795c02e6db6d3dc090d191a1fae5dd536518a15352bdae42c0492c1f6d4f7815

SHA512
d653b0e3ce25b8ad054cfcea14069951ba00351544e9fc4d7625b793212a395c1086376c2452235a208aaae627b09c197edebb7bb5a81b198a037c5bfd839571

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\dpinst.xml

Filesize
2KB

MD5
20440822d476792fe9316d529ca45903

SHA1
fe45bfc18e80ccfb400fca608927cc65d36d445a

SHA256
dd53ffd48111a016bbeb7c33611e7d8db977426713b724b3a951d519ef8e0115

SHA512
77fa137895c1d0b748b825b61060ff7465931909600cedd1564d79f87af77ddbb36f3adaaabf00222edf81965473161b00c2a48ebb4d10eacb59b63449ff0ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\i386.rar

Filesize
326KB

MD5
578d1f8721a43bcca2c3e8ae4dc78434

SHA1
ebccc1f03d871b525422e37a0d1a2a6d568701b4

SHA256
74d377fdb785fbfb0514395fb64aeba634f9a81303455939a2487cbcabc5cd6f

SHA512
198e3b1484ac21bdcf4e356b18b589cae4b4b8bd23905f77c3f7c666431c5e97746dab5958df9db5c3ba207731bc9c41090272772cb901ab6d84e27c34320a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\informations.txt

Filesize
407B

MD5
c3ac5464cae4e7b0267824b83464402e

SHA1
5f20401d092ec368591444b11433b2ba3c377c4d

SHA256
e83478d8199fb4eb9717871f09236629a4a772cd157331b5a09aa6645b88fd2a

SHA512
fd6d3e7f3e08fbc8a7153e7961f5c619dc7455100818bcd9051bbf405f4c03b296fe35c488752b8e6f9b69b5a0e931bf2254993ba76c7b6d0046161a4f473151

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao.rar

Filesize
996KB

MD5
4e623fd0b7c9c8ffa69b1eff4665d2fd

SHA1
83440c2ff2d6280eb54d0645ca24233529c5fcbb

SHA256
b13d18c39ca748eb2b10108faad2b78cb708ea84b747282c7645f514b13dbe97

SHA512
b48577284898bed4e0b57b91bcc90a4812a1da7a231c0d53878c0ad0a09923937c32e22db01d22fcf8ae7f4aeba0e46439e949763e2d3aef2c577bb4e36424b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\FTLang.dll

Filesize
210KB

MD5
0b17b700b17ddc80f539267d989542b5

SHA1
608377368bb59eca89b506ef58766a43c776813e

SHA256
c4dd55a3e9cd173ace302e2240ccf8dd5dd0dd493b256c2ee708244469950644

SHA512
ca0b12f6aae0d110a589d149d65cda4cd1934aa5162378bf5dff77dfb2b8fb341a5101fd4620af6f35ab38f35a534c3d6163039730362b25e4caf7a749124f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\ftbusui.dll

Filesize
107KB

MD5
dd60226d8b1a3b35a09e3a8c9e5c40ea

SHA1
7a4bcf73c7f860d01d0d1b09890f987561080184

SHA256
947dc457b62378e10908d28dd9b05f2f587f4b13b523d4b3cd8d3c6b2758454a

SHA512
458498fc2e541720f21656784801b297d410ebed9b6e01d09a03146aa782669a5a98f708fd5a21bbb3e7df76a54b512538707699528f998c9ac9f49b0af2261e

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\ftcserco.dll

Filesize
64KB

MD5
84a0dd31eda61cf8b03f0909f1064c49

SHA1
aad642d47dc81bf15f59b74aa73909d67004b4ac

SHA256
cd971e1ee2c0ab6eb8de96e258618aa3da6f8845b989ddf6cebb2bae216c8a02

SHA512
aca4b7dcc8fbda059dac9f8ec181b0f56e6d15a4f3f89fcfb0c1b2a9f2b97ef8cc4275a9e365edd386219ec5690598e393cdc960cb04f9b0c4371b106271f34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\ftd2xx64.dll

Filesize
251KB

MD5
6a1e17fe76a97559e0b9468aff6925d2

SHA1
a0a97e223ddb5ebfd716998814768d0b9bc2cda3

SHA256
fb993526425134b83964ddb45a2266aacfb2b5b85f83d856ba8d56d9f53f84aa

SHA512
ee9558a2744c0807d9e88e09b1014a193a5be67e46a7cde3e9ac358cc9220e10deb9424faa7031c1f65277bd6c91076ed95dfe08cae5ad92c0c923436ff19f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\ftdibus.sys

Filesize
77KB

MD5
340ba7cabb1f314e3650a7ef59f0a371

SHA1
8d321c495e9e5597772299ff402a874a02864c5e

SHA256
b3b11fcc0c8afd668ca6ed180b632c3983bd66026daaec150a23c83c9a0a6dce

SHA512
2c602e5c09b14aa8f225a156806a0ce5d63868d69b920fc007d746addf3e72104d0f14534f9c50b4735d81c203b466e28c91d56a2eecf9bc35439e71cdb6f4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\ftser2k.sys

Filesize
84KB

MD5
a19d6f0356dbabb94293894b84c27d27

SHA1
84ab82a75adf4f83dedba77e07ba19037433e6cf

SHA256
93b4e3314302f6f1524e776ef0fbf29221d10b642e3ba649d6e68ffab2b7b16b

SHA512
bfe87ccfb31ef7cfc2d7e3e0e0f5bf732bb71e88d38baf04707195da33c063372823c0abbef21275785bef4c6e1d836ac368ea5b429038ac4835864bcf0c2779

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\amd64\ftserui2.dll

Filesize
54KB

MD5
bb420f33f2af1e3cd0a64fc3cab080b4

SHA1
dc775442553c8042bcdea96a236ec3f3d05a4399

SHA256
618382e67f2736ac1449195cb442f4bb8cd6af4361df0523719c65291a031579

SHA512
2711c44b16a86830893e52c15b61236f95c4cfdc23557ec7e0bcbb2103c3f530758c4b142e2d1d31b48e0bacf13a6bbcfbe7e2a44326ec635f83f1f58d6211b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\ftdibus.cat

Filesize
12KB

MD5
6cbdd0e680fc3378c146308fc98fdd09

SHA1
0ac3bd991d365051ce0052f5000b872903565b31

SHA256
74665fa8b3cea7eec14c3880fc644d6d31000025784f03ae3dbfd9e3fe2f3cee

SHA512
2152ca4d61c6447de798cca269e1f45234ca22877487bf67e57e2d94896592a949650f5b7a24a622490655a1c05adf1af116b0cb74a924bdf277c715f5e993c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\ftdibus.inf

Filesize
5KB

MD5
730b2d0ad6385568049bedd87abe499c

SHA1
22ccd58b53472be3fcaff05631111c4062959a43

SHA256
1254518244312976be5f0f1c8e6bb93be39381332f647ae5d347d49e8fc3e8c6

SHA512
1d3cd92a4b38847043ead6e88a36353133ae669b4c64c0572777421e9460fceccffbaa31b2d766bd8e0e4e0828a4dd608c2ae7afbd4ec091d06c31589901f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\ftdiport.cat

Filesize
11KB

MD5
2102ad3dacacc2e20b35a89a398c15c5

SHA1
4caac61395f17aada824f87b6dd6cbb9f87f76a9

SHA256
947cd1c95850f05496bb30ce25ef3e2213439f4e721735d156ebe59ef587d639

SHA512
57f0b4ae7bf892cd8bdedbf77e33f735d325a2cdd65a8c8203bd9f2ce3dc2f10f326beb4850677d86a9c68e7b4245bae64c2574fc2faf84cbf735e7e1118009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\ftdiport.inf

Filesize
5KB

MD5
797d7a31a142052653b9f372aac36629

SHA1
bd00013670d26c16e19f284bf8e15daf813497c7

SHA256
79bab445ec05e91a5a5d0e6dc858115b7633c53667a0c5d7d412ad6ba24f903b

SHA512
b1a65c931b7e3fbbf1d0c321389a780b16ec48de1a01f80fa0cdc62924e3276af6810e9f0d81e9e3bc2cb6c8981b62fd39a7f121d7c30044f5b35bf5a068fa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\padrao\i386\ftd2xx.dll

Filesize
214KB

MD5
c42d0f96ce90fb6d3b96de21886e778e

SHA1
790c9a4efb06564593966ac16a492e34ce4eb60e

SHA256
abf80af6316c5f475cd60bec680c07b4e11d1f2163f36dc51bccee3f4f2e31a4

SHA512
8c7db406ea77f54778fa9c75064d663084e3d2fa569648a8686a93f8884312d52d52fc97934206fa956e56c7a30492f2bcb2d21d1ebdebc88906ec6ca170c1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\pnputil.exe

Filesize
35KB

MD5
9d6b34dd63e99f06637c2dfb3ddb8e4d

SHA1
e1d3061892288aba7a87b5be4d100b6b5d02ab5c

SHA256
de26ce66ebdc5533ab82ca6d2557d554f1be35d1c35025076aef37da3b465b4d

SHA512
22da641a7e4bed105ed4c7a6d9514cafe428c8a85e22f39e78fb290e549378431187839a1ee8c1dffb309c8f28cb385875ca3ee0d386d0dbd3cb64496898a264

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\unrar.exe

Filesize
284KB

MD5
8bfc4518198659a554f2630b82e51a52

SHA1
8f6bfe23e8a00152db01501aa81e86e7c665551c

SHA256
4852fc617211cd13f807bea77f5aa357f2ec4776632ce963ce322b37791d257e

SHA512
1a73df573eef41cfcfd9e201a2d4fbc2024879664e8806796aa0d0ede7ecff0e2ca6c4a2621bfdb083299fe058892e33d7a378d1ac49b4e19da8ba1caeb60d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\638.tmp\usbfixaporta.reg

Filesize
276B

MD5
7b480c4b994d259fe988819fbeb3f229

SHA1
7c8474befd211567fe37b53842835127ac55a805

SHA256
d050853fd0108ab86f16f770ff9e3b700f5b40ec9aae1068933d46591afb77e3

SHA512
69d74fdff64b85942ff58a3c00d108891c422c7f30f94b500c61bd3f3b4babbf297d62b440f6d7e363c3c8489f0cfd5aa369c9ca2372ef733591ed436b0bcd9f

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
192KB

MD5
2d134473bb4a68817a004ed31e26b1c2

SHA1
415998abee33d30aa6c067e4a545c56361173085

SHA256
2048fab3864306c0d409922db74a61d031ec1a27f65166f3a4ccdc3603a821bb

SHA512
26c8d93c635bfefbdbc43562f3e53df306e92f781b7c2531cbac8abe639f797c7942bd315d24fe1885751b0754f8dbe3f99f61003d56b3841577db495a1f1297

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
33032309ebc2e03e7009d520eb2a585a

SHA1
362047392e59046f6e5ce8ac99146c548b8190e9

SHA256
b0f8ef06eeae15fc2638640f2a41abd2045d36b99c1774454883972b0c5a3c90

SHA512
933cb3507f35a638694566ea445b4ccf6cd171f394454fc92a24f64dc57c897e98084d83bfa76fb152daf45ab1b1cde8a5d911f5f4b931c038a3a058c5d83fc1

Download Submit
\Users\Admin\AppData\Local\Temp\638.tmp\dpinst-x64-multi.exe

Filesize
1019KB

MD5
bcfed22a00ed87a1b821ec56898e755f

SHA1
8cb4fd1d45d90f93d4ed684b0f1b927c7dbe4535

SHA256
d2f2bc27e975c776df7a73b7f097f761172e7b2c40d0e5de71b4598138969961

SHA512
f34513cb9ea0a62fd7458b4e57189c4c486597b4f9f897c94861f7ed01ba5f841169f3248ec068c1f8dff908632b02fc13b15290e6f623cd30625c8c32239e84

Download Submit
memory/2424-0-0x0000000000400000-0x0000000000B82000-memory.dmp

Filesize
7.5MB

Download
memory/2424-381-0x0000000000400000-0x0000000000B82000-memory.dmp

Filesize
7.5MB

Download