f31445d1d91bec8e0ad59913808e62a3998c3156bf4d1fc1349e4464f25017bc

Analysis

max time kernel
64s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 13:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ManyCamSetup.exe
Size

124.5MB
MD5

c9b082accc349f96220e94db97cb2f76
SHA1

18d7e4a8f0e8ee3403f18e544fc854465a153d1c
SHA256

f31445d1d91bec8e0ad59913808e62a3998c3156bf4d1fc1349e4464f25017bc
SHA512

dbb83beb52e91e608c74eb5cf359779ff3d7b8c9df3285bf9c0561c0229453cd512f34fa075727c124bd805c04a2c610e49457899192df66de14d5ed8ff6c1fb
SSDEEP

3145728:CBOiT+72oMmW1beioZia2yCupqVR9yfJg2wQBP4vvNR:AO57omW1beio0apURAJg9QBEvv

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\SET198E.tmp	DrvInst.exe
File created	C:\Windows\system32\drivers\SET198E.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\drivers\mcaudrv_x64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET28B.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET28B.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\mcvidrv.sys	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\47512BB7DCAA8915E3C42198CFBA146904512D17\Blob = 03000000010000001400000047512bb7dcaa8915e3c42198cfba146904512d170400000001000000100000000e88f7689b1b27b0d929f5f9e3fe42cd140000000100000014000000a9334d16df2a4c8dfacb72711c19f72bee0ba662190000000100000010000000c4178edf992b57a7fc26cb35bd3c00050f000000010000002000000053dfa62abe483483895f0322c9bd56ade621f5227c67818ab654a3fbbba27378200000000100000039050000308205353082041da00302010202104951b59c41cc014cc60a41d270b7f03b300d06092a864886f70d01010b05003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3134313032393030303030305a170d3136313032383233353935395a3067310b3009060355040613024341310f300d060355040813065175656265633111300f0603550407130842726f73736172643110300e060355040a14074d616e7943616d3110300e060355040b14074d616e7943616d3110300e060355040314074d616e7943616d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a9b1c9f2745ea5ec70830010c8822823847447bdcc3a574a53264d40c7f80b82612a06c41b24c8184c3b9a152d97bb73329b620c9b7ced508f7df4e615241726d8b88d59221fcaa49f47343404669b6912069bd683756e444e7d6d4fd04fee2a334821ad0f691bd1b4bfe91619d5dc8486c050e49094c5f4fb61377593511d16084794bfd3e56a658bede1378e1a70e222ad7d4bd1beeb0dbe4d2ada5e8181134981a53f953f9179fcd87130b4a7f4f00762d409d0c8133aeab32c588ec6f3befdae80a4ac9337f2eda6438b637dcbcd99fd2f0dd8362788f4c366b6e8777973735f9210a80179cf4b344318d19e49be9802c964b7cdc61f5da5c6cbff8d766f0203010001a382018d3082018930090603551d1304023000300e0603551d0f0101ff040403020780302b0603551d1f042430223020a01ea01c861a687474703a2f2f73662e73796d63622e636f6d2f73662e63726c30660603551d20045f305d305b060b6086480186f84501071703304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230190c1768747470733a2f2f642e73796d63622e636f6d2f72706130130603551d25040c300a06082b06010505070303305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73662e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73662e73796d63622e636f6d2f73662e637274301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301d0603551d0e04160414a9334d16df2a4c8dfacb72711c19f72bee0ba662301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010b050003820101007151b3d91a73f7b3350d518d9d58d52a9bc95ed08f3fd9dd472be73119f85013ebe189aa9e14af98444adbf13b5b43d5b4500f57559bbfe36406fc124c8ac01d91ef3e3c78e40eb852c2c5054c1bb946026c784500a78b716e64f02b58c678ba2225165904b8341ef9f6c3fc73d9a3a658857419449fad0caca180fca889ba3bf7e9d2327cc599406bd90294115d643d6fd5d9327458157c6a02ab11583b7f344b0b77c0a542ab3e0499b19db2fe2f19f04f7349d0abb3bf3e51544a95ee8b57939f61a4d0446b07d21cea74140c917511f81e743f2559325ec70a07ac907c38b956e7cfe2178af5567ccff2187cac105b6b16919a856ee1b3b9e92b185f3e2e	DrvInst.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2100	netsh.exe
2980	netsh.exe
2256	netsh.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\SETD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\mcvidrv.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\SET971.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\mcaudrv_x64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\SET972.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mcaudrv_x64.inf_amd64_0a2bf091d6cf55d8\mcaudrv_x64.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\mcaudrv_x64.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mcvidrv.inf_amd64_8f79bd544a4f6ca8\mcvidrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mcvidrv.inf_amd64_8f79bd544a4f6ca8\mcvidrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\SETFFFB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\mcvidrv.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mcvidrv.inf_amd64_8f79bd544a4f6ca8\mcvidrv.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mcaudrv_x64.inf_amd64_0a2bf091d6cf55d8\mcaudrv_x64.PNF	mdsu.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\SET971.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\SET983.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\SETFFFB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\mcvidrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\SET983.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\SETFFFC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\SETD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\SET972.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\mcaudrv_x64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{47683161-568e-6f40-b6ea-523e3c1d640d}\SETFFFC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mcvidrv.inf_amd64_8f79bd544a4f6ca8\mcvidrv.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mcvidrv.inf_amd64_8f79bd544a4f6ca8\mcvidrv.PNF	mdsu.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mcaudrv_x64.inf_amd64_0a2bf091d6cf55d8\mcaudrv_x64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mcaudrv_x64.inf_amd64_0a2bf091d6cf55d8\mcaudrv_x64.cat	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-heap-l1-1-0.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nskD38B.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\imageformats\nsmE4EE.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nssF331.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-utility-l1-1-0.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\imageformats\nscE4FF.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\libyuv.txt	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\translations\qtwebengine_locales\nsdE781.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\msvcp140.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nswE3E6.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\drivers\video\mcvidrv.sys	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\libP7.txt	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\uninstall.exe	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-math-l1-1-0.dll	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\tbb.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsyF4F3.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\RobotoCondensed.txt	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-environment-l1-1-0.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\inference_engine_lp_transformations.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsxE487.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\libspeex.txt	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\licenses\readme.txt	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\resources\nsmE540.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nswF0C8.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\inference_engine_ir_reader.dll	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\Roboto.txt	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\readme.txt	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\MKLDNNPlugin.dll	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\matting.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsmEFEC.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nssF38C.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsdF37A.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-environment-l1-1-0.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\imageformats\nshE4CA.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\imageformats\nsxE4DC.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsiF343.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\libtiff.txt	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\matting_quality.mcmodel	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\vcruntime140_1.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nskD38A.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nswD5A6.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\iie_inferer_quality.exe	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\matting.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsiF3F4.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\curl.txt	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\data\nsyF544.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\iie_inferer_speed.exe	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\inference_engine_transformations.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsiF3A0.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nssF3E3.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\uninstall.log	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-runtime-l1-1-0.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsnF3C3.tmp	ManyCamSetup.exe
File created	C:\Program Files (x86)\ManyCam\help\third-party\libraries\docs\licenses\BebasNeue.txt	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\modules\VirtualBackground\api-ms-win-crt-filesystem-l1-1-0.dll	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsrD627.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nswD648.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nswF118.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nssF38E.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\resources\nsiE65B.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsyE804.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsnF366.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsnF367.tmp	ManyCamSetup.exe
File opened for modification	C:\Program Files (x86)\ManyCam\nsuD19F.tmp	ManyCamSetup.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	mdsu.exe
File created	C:\Windows\INF\ks.PNF	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\kscaptur.PNF	DrvInst.exe
File created	C:\Windows\INF\c_media.PNF	mdsu.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	mdsu.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mdsu.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 7 IoCs

pid	Process
1708	mdsu.exe
3672	mdsu.exe
1060	mdsu.exe
4612	mdsu.exe
3740	ManyCamService.exe
872	ManyCamService.exe
2140	ManyCamService.exe

Loads dropped DLL 25 IoCs

pid	Process
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	3976	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCamService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	mdsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	mdsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mdsu.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Effect\shell\open\command\ = "\"C:\\Program Files (x86)\\ManyCam\\ManyCam.exe\" \"--open-effect\" \"%1\""	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.LT\DefaultIcon	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{A799A802-A46D-11d0-A18C-00A02401DCD4}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mce\ = "ManyCam.Effect"	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Effect\shell\open	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A800-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming TV Tuner Devices"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}\CLSID = "{A799A801-A46D-11d0-A18C-00A02401DCD4}"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A801-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming Crossbar Devices"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{19689BF6-C384-48FD-AD51-90E58C79F70B}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\ = "TV Tuner Property Page"	DrvInst.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F}	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcbox	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F}\CLSID = "{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F}"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcpro	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mclt2	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Preset\shell	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Project\shell	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.LT\shell\open\command	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A802-A46D-11d0-A18C-00A02401DCD4}\FriendlyName = "WDM Streaming TV Audio Devices"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\ = "Analog Crossbar Property Page"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.EffectPack\shell\open\command	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\ = "WDM Analog Crossbar"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcpro\ = "ManyCam.Project"	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Effect\DefaultIcon	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Effect	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.EffectPack\shell	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Project\DefaultIcon	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{A799A800-A46D-11d0-A18C-00A02401DCD4}	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcep	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{A799A800-A46D-11d0-A18C-00A02401DCD4}\CLSID = "{A799A800-A46D-11d0-A18C-00A02401DCD4}"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Preset	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ = "%SystemRoot%\\System32\\kstvtune.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Preset\DefaultIcon	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Preset\DefaultIcon\ = "C:\\Program Files (x86)\\ManyCam\\data\\preset.ico, 0"	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F}\CLSID = "{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F}"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.EffectPack\DefaultIcon	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.LT\shell\open\command\ = "\"C:\\Program Files (x86)\\ManyCam\\ManyCam.exe\" \"--open-lower_third_theme\" \"%1\""	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{19689BF6-C384-48FD-AD51-90E58C79F70B}\CLSID = "{19689BF6-C384-48FD-AD51-90E58C79F70B}"	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32\ThreadingModel = "Both"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96461-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Effect\DefaultIcon\ = "C:\\Program Files (x86)\\ManyCam\\data\\effect.ico, 0"	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ManyCam.Effect\shell	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}\CLSID = "{7A5DE1D3-01A1-452C-B481-4FA2B96271E8}"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96462-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\ = "TV Audio Property Page"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcv	ManyCamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcep\ = "ManyCam.EffectPack"	ManyCamSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}	DrvInst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96460-78F3-11d0-A18C-00A0C9118956}\InprocServer32\ = "%SystemRoot%\\System32\\ksxbar.ax"	DrvInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32	DrvInst.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	mdsu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	mdsu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	mdsu.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeAuditPrivilege	3124	svchost.exe
Token: SeSecurityPrivilege	3124	svchost.exe
Token: SeLoadDriverPrivilege	3672	mdsu.exe
Token: SeRestorePrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4128	DrvInst.exe
Token: SeLoadDriverPrivilege	4612	mdsu.exe
Token: SeRestorePrivilege	3508	DrvInst.exe
Token: SeBackupPrivilege	3508	DrvInst.exe
Token: SeRestorePrivilege	3508	DrvInst.exe
Token: SeBackupPrivilege	3508	DrvInst.exe
Token: SeRestorePrivilege	3508	DrvInst.exe
Token: SeBackupPrivilege	3508	DrvInst.exe
Token: SeLoadDriverPrivilege	3508	DrvInst.exe
Token: SeLoadDriverPrivilege	3508	DrvInst.exe
Token: SeLoadDriverPrivilege	3508	DrvInst.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe
3976	ManyCamSetup.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 2980	3976	ManyCamSetup.exe	95
PID 3976 wrote to memory of 2980	3976	ManyCamSetup.exe	95
PID 3976 wrote to memory of 2980	3976	ManyCamSetup.exe	95
PID 3976 wrote to memory of 2256	3976	ManyCamSetup.exe	98
PID 3976 wrote to memory of 2256	3976	ManyCamSetup.exe	98
PID 3976 wrote to memory of 2256	3976	ManyCamSetup.exe	98
PID 3976 wrote to memory of 2100	3976	ManyCamSetup.exe	100
PID 3976 wrote to memory of 2100	3976	ManyCamSetup.exe	100
PID 3976 wrote to memory of 2100	3976	ManyCamSetup.exe	100
PID 3976 wrote to memory of 3412	3976	ManyCamSetup.exe	102
PID 3976 wrote to memory of 3412	3976	ManyCamSetup.exe	102
PID 3976 wrote to memory of 1708	3976	ManyCamSetup.exe	103
PID 3976 wrote to memory of 1708	3976	ManyCamSetup.exe	103
PID 3976 wrote to memory of 3672	3976	ManyCamSetup.exe	105
PID 3976 wrote to memory of 3672	3976	ManyCamSetup.exe	105
PID 3124 wrote to memory of 4872	3124	svchost.exe	108
PID 3124 wrote to memory of 4872	3124	svchost.exe	108
PID 3124 wrote to memory of 4128	3124	svchost.exe	109
PID 3124 wrote to memory of 4128	3124	svchost.exe	109
PID 3976 wrote to memory of 1060	3976	ManyCamSetup.exe	113
PID 3976 wrote to memory of 1060	3976	ManyCamSetup.exe	113
PID 3976 wrote to memory of 4612	3976	ManyCamSetup.exe	115
PID 3976 wrote to memory of 4612	3976	ManyCamSetup.exe	115
PID 3124 wrote to memory of 1080	3124	svchost.exe	117
PID 3124 wrote to memory of 1080	3124	svchost.exe	117
PID 1080 wrote to memory of 1872	1080	DrvInst.exe	118
PID 1080 wrote to memory of 1872	1080	DrvInst.exe	118
PID 3124 wrote to memory of 3508	3124	svchost.exe	119
PID 3124 wrote to memory of 3508	3124	svchost.exe	119
PID 3976 wrote to memory of 3740	3976	ManyCamSetup.exe	121
PID 3976 wrote to memory of 3740	3976	ManyCamSetup.exe	121
PID 3976 wrote to memory of 3740	3976	ManyCamSetup.exe	121
PID 3976 wrote to memory of 872	3976	ManyCamSetup.exe	123
PID 3976 wrote to memory of 872	3976	ManyCamSetup.exe	123
PID 3976 wrote to memory of 872	3976	ManyCamSetup.exe	123

C:\Users\Admin\AppData\Local\Temp\ManyCamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ManyCamSetup.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall delete rule name="ManyCam Virtual Webcam"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="ManyCam Virtual Webcam" dir=in action=allow program="C:\Program Files (x86)\ManyCam\ManyCam.exe" enable=yes profile=domain,private,public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall set rule name="ManyCam Virtual Webcam" new enable=yes
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\SYSTEM32\pnputil.exe
  pnputil.exe /enum-drivers
  2⤵
  PID:3412
- C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe
  "C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe" remove_all_video_devices
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1708
- C:\Program Files (x86)\ManyCam\drivers\video\mdsu.exe
  "C:\Program Files (x86)\ManyCam\drivers\video\mdsu.exe" add_by_name "ManyCam Virtual Webcam"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe
  "C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe" remove ManyCamAudio
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe
  "C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe" install "C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mcaudrv\mcaudrv_x64.inf" ManyCamAudio
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\ProgramData\ManyCam\Service\ManyCamService.exe
  "C:\ProgramData\ManyCam\Service\ManyCamService.exe" install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3740
- C:\ProgramData\ManyCam\Service\ManyCamService.exe
  "C:\ProgramData\ManyCam\Service\ManyCamService.exe" start
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 2284
  2⤵
  - Program crash
  PID:3992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d5ba82e4-e911-ac42-8f7f-68a12fe2b67c}\mcvidrv.inf" "9" "4b6092e43" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\program files (x86)\manycam\drivers\video"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4872
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\IMAGE\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:79f41c50f9c9ad7b:ManyCam.Device:8.0.21.0:manycam," "4b6092e43" "000000000000014C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9e1fdfcb-a96b-ed4a-b343-bd137894a497}\mcaudrv_x64.inf" "9" "4ea6deb4b" "0000000000000150" "WinSta0\Default" "000000000000015C" "208" "c:\users\admin\appdata\local\temp\nspabb3.tmp\mcaudrv"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7844a764-9909-ee47-b7cb-a1f26d5292d2} Global\{77359bdc-7038-f743-8556-574f787dc00a} C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\mcaudrv_x64.inf C:\Windows\System32\DriverStore\Temp\{0baad1be-2980-9742-8643-48d1756d0289}\mcaudrv_x64.cat
    3⤵
    PID:1872
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca1116c38308:mcaudrv_Simple:4.1.0.0:manycamaudio," "4ea6deb4b" "0000000000000150"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2372

C:\ProgramData\ManyCam\Service\ManyCamService.exe
C:\ProgramData\ManyCam\Service\ManyCamService.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ManyCam\drivers\video\mcvidrv.inf

Filesize
4KB

MD5
d7808e7edaf49f71eacd6d2a8a7b7d77

SHA1
62509418e049d337db47a6ffd408a77e1cf4042a

SHA256
5d6b10534c4b717cb3969a0bf07692e0662b629c61b8f25fd16f5671ae7d1385

SHA512
38362f9950c482758f6c9803b3ec90caea7cffab420c7f7e65e1fa3d29f7c5c9b7e2b810e8f7de3d7794665c19310ecff8cc65a8be5826fadcd7228fff0c330e

Download Submit
C:\ProgramData\ManyCam\Service\ManyCamService.exe

Filesize
532KB

MD5
f0db70ea6b32da9e8d3dfe50206cf9c4

SHA1
d1c55d2e837355d3b9df4dd35b9a51617c92f32e

SHA256
f2ce20e7019c029388a24326b149b0fbf17649f2ba805c96e9f6fb27eb4cb3cd

SHA512
030b3096eb5db42f0a14b5c416b95ec04246669b1b8d53686a8306c077a2d2b96749b4f430c0b9f0f12a75391f87be882124433126a3848582600eb3b663b6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\AccessControl.dll

Filesize
15KB

MD5
f894e7068ee5f5b4489d7acdde7112c9

SHA1
79ec857791ad4ac76673b05e6fc44e55315424ef

SHA256
3948484bc6a6e8652c2220be411cdcabab73eab46578faca8c0bd01d3ea290ab

SHA512
e85b2bdc27b9721425bb03393e8aad897647053c77d7862ea541e03dc896173af6eaaf182514d46464d560d15c6b9d4652690885426ac1c68e2b9dd8d632e816

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\ExecDos.dll

Filesize
6KB

MD5
774e3b33d151413dc826bf2421cd51e8

SHA1
ab2928dcf6fa54bb9eb16e5f64bfcffaaeee90fa

SHA256
91d5481f576382164703e4ac244052265769377838ac30233ad79c983ed9d454

SHA512
3cf955b13e81e4b6edb292df751ce7f64b0cf30979f57b1609f002859b4e68adc046b6674f76f7b7ce7144382316c344c11fed02d638e62fcc8464c32795a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\InstallerAssistant.dll

Filesize
977KB

MD5
8751a5837085dc48715e2473d646ac17

SHA1
3b6f5239def7d39bb8b6d32b087b062ce02fd640

SHA256
502de1cba283dfaaa80635add4cfbd6d10f896a96ded55325343e5be168851b0

SHA512
ef036affdc001589bef13ef75c619b9eb2c5d657f0bb6151262799da2e26f881b2f6522a231100d9a365cc55c41ba68b04df86d17007c4749939a4e8c1986a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\UAC.dll

Filesize
13KB

MD5
c71733d8ef33afcc99050ba2b0c56614

SHA1
52b5deb2fba8cdd5fa658baa59ff8d5c9fdf5c5c

SHA256
eb80dc6d72e39c829aa2e7370acde86b4bdcc416b65bacb970c4be9ca7928b98

SHA512
2332845dc5a4b38decc640c9391ad1714451dc33d39a2baf56e57879fedd71d5b487995647753272993d67c9341c5a40d5b67a2a3dacb6c809177913aeb92f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\inetc.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mcaudrv\mcaudrv_x64.inf

Filesize
4KB

MD5
6ad8455d2d85111bc42c5b900a122825

SHA1
68692d26dde73c9d094f787a799e311efbedd39b

SHA256
0f15b959f3a05c04b6941c11b518c01e444853f4f8b351d7486ac82e677a85ea

SHA512
60fc03eef2c3d929d5611ffdae7798c3368d69805ddc244260c9b99d6a8fc2dbca83fedd5ec765fb6f0486fd10f239b91bd345605c1662e6dc5a68c1f528ae98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\mdsu.exe

Filesize
353KB

MD5
e3f8ac8f94f22db714219ccc4ee3e559

SHA1
4f06d59c46f46b54ae116005cd0918dd8f3016bd

SHA256
5c1cdd44a54e10b23a1307734ee325cd6b765d72c976eb70b0561c47a62fb99b

SHA512
8e82c95375a4f7f72163954b447e51cd460771e9217ac215a021cc7bdbc19db78ee6ff88eb08f71bc70081b8db55fdc9b2e0d4e7cf1050f987e85871f89d4e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspABB3.tmp\w7tbp.dll

Filesize
2KB

MD5
9a3031cc4cef0dba236a28eecdf0afb5

SHA1
708a76aa56f77f1b0ebc62b023163c2e0426f3ac

SHA256
53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00

SHA512
8fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
858B

MD5
5028568a4abe1e061309cadcb085349a

SHA1
d149aa0e0ab70788456ff74c9d5459d7c00b09bf

SHA256
94fc15d540e5ffc0df6290a04c891af6f2971445f09baf0fceb369769d801884

SHA512
5256b66bdfda228195d5554b99bd9843c7f4eb53ed32edbf07c42f633555b9fb719829519d4d43060f974a4bc32054b9ec3fc9cfe36cd5a0312f373fc3b4b81f

Download Submit
C:\Windows\INF\c_media.PNF

Filesize
12KB

MD5
d6f787534eea52824abfef940379b071

SHA1
b200fb5e314de41c743ac84fc973584dee668946

SHA256
feedfdacbcff878dd0f877736f880b045941e25cd3c4013357d4e2a293a1e7d8

SHA512
7ba2d3f0858a5aea61486ba8eb96fed621384258b5055e97a314d9cde71081545d881059d9bcd5bce4f5cb2d7cc341090d2cc419cac44302708b8bef17e4beca

Download Submit
C:\Windows\INF\ks.PNF

Filesize
126KB

MD5
ec10ca8954ca09f9d1e00ba48596196e

SHA1
09a3ab802cd0d47e969de65a13bb3065f70764bc

SHA256
189b48efc7b00f6d5cad6fed9d3dccd25f662ed08b1c22eb47d9f3a0b8d1912d

SHA512
7b2a568f0e379f8673914206618cd6489faecf9722cc6cff36f9bc3a0803b74bff7a59b55729c19eb9f181be745e66071ea06633730fb84feebd2e14a0b18946

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
974a9c6d2cbf57a45caec4f80aee5de0

SHA1
cae1c72137db690a5f98d606c33a7bd932a974b4

SHA256
a8010430ebe78c6ac43371d872309a87da45471f4ae8a4e2031e3e03f9a356ea

SHA512
574cd0a026068db442e8e940ccd06c3cd5eef746eca633d5a62cdaba2c1aadd1402e73caaffd4f7a15a6e6df6e8688d86f21fca43d4542002fc827046ebe5c75

Download Submit
C:\Windows\System32\DriverStore\FileRepository\mcvidrv.inf_amd64_8f79bd544a4f6ca8\mcvidrv.PNF

Filesize
11KB

MD5
4f159f45bda527f57cea4292dbb71e69

SHA1
e3da0368b12108a5431b5f310221d1d922702a43

SHA256
e1df2bcbfb3cad7759236e0d0710c7a990e6e57aa51b5c2632d0dffd83aabdf8

SHA512
ec3df8f9e3bce0b951f282c4c454c3559bca92fdaa612bb03403ba9b2033e4507b76a034fd3d49924c3c7c35f8c899f3c758325218a76ea950aa771a44be5722

Download Submit
\??\c:\PROGRA~2\manycam\drivers\video\mcvidrv.sys

Filesize
63KB

MD5
985952356ece9d6186bfd45c4b1f95f5

SHA1
ee1e6ac086cdab7e3cb10e74ec7aa3664e4f7d9c

SHA256
5bc346808eb644ae02dd58250bcc843f8fb8f9d7479f8435473e14595066dbf9

SHA512
76d39663e57f96a76b19cedcad660a053ed03514b540f0cc79ee3a4a05a56b7fcaa2b9dd82c21fae39ed17b5a312104422b815822fc7f9207f7b68a608ee25b4

Download Submit
\??\c:\program files (x86)\manycam\drivers\video\mcvidrv.cat

Filesize
11KB

MD5
7d6edc58d5e22a83054170c35232884a

SHA1
bd0c6500496f95516702de38ec4bce6deda71581

SHA256
37ad0d2411d41f3608f15deba53cbdb69adff043e43443beb2f1cb76b4153f9e

SHA512
1dbcf7180b845a4d4159e35fb752f8a2b72f8848768eb9fe3c1c9f66d0b584a5cebee98a885e9b40eccc6da4c03b6537c8249910b72b7efb5b1185e20ac8190a

Download Submit
\??\c:\users\admin\appdata\local\temp\nspabb3.tmp\mcaudrv\MCAUDR~1.SYS

Filesize
35KB

MD5
7382e4a888a7d4333dff8a30b6850ee9

SHA1
1ffffea1c87f5d5400b2f489df48c6c46c334406

SHA256
3f63680a96438df841fd46f99da9670520ed3295176820dedc9d5c770ca659d0

SHA512
d19f20f2440c0f3c72541b6ac300894b8f91110d2a203f6d0764450e61a9a2269b83a23469dcb63a00703e9af6cf9732c4c34e4f1a0bf3174107f00de87e86cd

Download Submit
\??\c:\users\admin\appdata\local\temp\nspabb3.tmp\mcaudrv\mcaudrv_x64.cat

Filesize
8KB

MD5
c2d47c5dd31779917a7ad0c708ae2e07

SHA1
35b32b2fbe3d34b768deacf83bfd9d81abb0ffae

SHA256
529a272565ff8f1030af853ff393ac4a3d1f26542d2fb53874c5efe8cf5dfb9f

SHA512
aa1ed642b0e8989b92e48092b15b3e9b87022822d90237824e99e31f16df4152d9f522773b2355662e76a6ccc34f2a1cd356de542e02bafc0537b457f1b073a5

Download Submit