268c8554da70090e8893d7468ab6b1156391b80c8513a73eca9035733ee43593

Analysis

max time kernel
1684s
max time network
1556s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

3.7MB
MD5

c0fe59a9ea8ab8248d221c9008d92be3
SHA1

43958341bacc33b0c33d1e37700dda86cef35228
SHA256

08409ec3b4031df24306d19da45eb753adc542394b33d56616a57d637fa6348a
SHA512

c1a34bd32e3dbd0a91bef8f135eef904d96389b590678704a5077df9c38fdb4de5322f9cd96ae992bb548e0ff73ae2171e9afee9a17f7a94390a13c5033bf79f
SSDEEP

98304:I32NWl57blIBXlXgLT0dUTN08r4k3/BICs5t:pK57blIB1ETMlOyCit

Score

8^/10

discovery

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F6EDE999786674E1E62270D9B846954193AA94D4\Blob = 030000000100000014000000f6ede999786674e1e62270d9b846954193aa94d42000000001000000220200003082021e3082018ba00302010202108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d0500302431223020060355040313194964656e7469536f6674204163636573732053797374656d73301e170d3133303331323130353134355a170d3339313233313233353935395a302431223020060355040313194964656e7469536f6674204163636573732053797374656d7330819f300d06092a864886f70d010101050003818d0030818902818100d0486ee07e54051c933574491729e9bf378fd95e0e4172cb86970e46f6b3acb52860e6e827a28d6132f688bae0497ed1e92a699b223ed4795ce513918917f7b05c02f0cbc9efc00eb8f10f48cbd256aaa5e265533b1cb53d6bc16d4242aad15c185605643ec57fc195f2cf641fd1971873f1a8d0dd0554ab978ae089235715950203010001a359305730550603551d01044e304c80101b17c2a73f5611defddd79d5f5812b5fa126302431223020060355040313194964656e7469536f6674204163636573732053797374656d7382108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d050003818100333b23cafb3201e6c8b93b77de14aceeb113bae20e01debc9efa48261df30989310e446d24d36d687d44f8f0f9e12041dc1caee139c899188aaf23753fdc6f4961ce12b4d9e77d97791374a2cd0a2d64305210a5833414dacda0393f43764cd2a6244216a7a21beeae7d5e0dd2efedd8b4c07545ce52426860e521777a1b4c4d	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F6EDE999786674E1E62270D9B846954193AA94D4\Blob = 0f0000000100000014000000dfaa660c6dc78d7b5b12ab963bf908d0f95c02a7030000000100000014000000f6ede999786674e1e62270d9b846954193aa94d42000000001000000220200003082021e3082018ba00302010202108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d0500302431223020060355040313194964656e7469536f6674204163636573732053797374656d73301e170d3133303331323130353134355a170d3339313233313233353935395a302431223020060355040313194964656e7469536f6674204163636573732053797374656d7330819f300d06092a864886f70d010101050003818d0030818902818100d0486ee07e54051c933574491729e9bf378fd95e0e4172cb86970e46f6b3acb52860e6e827a28d6132f688bae0497ed1e92a699b223ed4795ce513918917f7b05c02f0cbc9efc00eb8f10f48cbd256aaa5e265533b1cb53d6bc16d4242aad15c185605643ec57fc195f2cf641fd1971873f1a8d0dd0554ab978ae089235715950203010001a359305730550603551d01044e304c80101b17c2a73f5611defddd79d5f5812b5fa126302431223020060355040313194964656e7469536f6674204163636573732053797374656d7382108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d050003818100333b23cafb3201e6c8b93b77de14aceeb113bae20e01debc9efa48261df30989310e446d24d36d687d44f8f0f9e12041dc1caee139c899188aaf23753fdc6f4961ce12b4d9e77d97791374a2cd0a2d64305210a5833414dacda0393f43764cd2a6244216a7a21beeae7d5e0dd2efedd8b4c07545ce52426860e521777a1b4c4d	DrvInst.exe

Executes dropped EXE 9 IoCs

pid	Process
392	setup.tmp
2944	certmgr.exe
3896	certmgr.exe
3412	dpinst32.exe
4772	dpinst64.exe
4592	dpinst32.exe
2428	dpinst64.exe
4184	dpinst32.exe
2884	dpinst64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63235312-e484-704f-bf70-c90105471ee9}\220.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\220.inf_amd64_0fc422cc61fa139b\220.PNF	dpinst64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_39c892a42bf3fc8d\slabvcp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\silabenm.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\silabser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\SETB79A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\WdfCoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinst64.exe
File created	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\SETB7AB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5becb31-5f31-0e4b-9a24-e3b491c224ed}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinst64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\silabenm.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_39c892a42bf3fc8d\x64\silabser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_39c892a42bf3fc8d\slabvcp.PNF	dpinst64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\SETB7AB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vcp.inf_amd64_d6af64204def397c\vcp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63235312-e484-704f-bf70-c90105471ee9}\SETB324.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\SETB653.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\WdfCoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5becb31-5f31-0e4b-9a24-e3b491c224ed}\mde.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\SETB641.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\SETB799.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vcp.inf_amd64_d6af64204def397c\x64\silabenm.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\220.inf_amd64_0fc422cc61fa139b\220.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinst64.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\SETB653.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_39c892a42bf3fc8d\x64\WdfCoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vcp.inf_amd64_d6af64204def397c\x64\WdfCoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vcp.inf_amd64_d6af64204def397c\vcp.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\SETB798.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\vcp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vcp.inf_amd64_d6af64204def397c\x64\silabser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\SETB642.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\slabvcp.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\SETB7AA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\slabvcp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\SETB799.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\SETB798.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\SETB641.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\SETB642.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\SETB654.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_39c892a42bf3fc8d\slabvcp.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{217c4c42-d6fd-364a-93bf-c0360b8d0dc1}\x64\SETB79A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63235312-e484-704f-bf70-c90105471ee9}\SETB323.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63235312-e484-704f-bf70-c90105471ee9}\220.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5becb31-5f31-0e4b-9a24-e3b491c224ed}\mde.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mde.inf_amd64_234ede2ead037a25\mde.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d5becb31-5f31-0e4b-9a24-e3b491c224ed}\SETB508.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d5becb31-5f31-0e4b-9a24-e3b491c224ed}\SETB509.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vcp.inf_amd64_d6af64204def397c\vcp.PNF	dpinst64.exe
File created	C:\Windows\System32\DriverStore\Temp\{7ef08193-fcc3-b047-847c-124d57304596}\x64\SETB640.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\slabvcp.inf_amd64_39c892a42bf3fc8d\x64\silabenm.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{63235312-e484-704f-bf70-c90105471ee9}\SETB323.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{63235312-e484-704f-bf70-c90105471ee9}	DrvInst.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\USB Driver\rs\x86\WdfCoInstaller01009.dll	setup.tmp
File created	C:\Program Files\USB Driver\220\is-NS37B.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\x64\is-7BNUV.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\x86\is-IT04O.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\x86\is-6DQ56.tmp	setup.tmp
File created	C:\Program Files\USB Driver\mde\is-V2MH5.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-Q1FMR.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-22C55.tmp	setup.tmp
File opened for modification	C:\Program Files\USB Driver\certmgr.exe	setup.tmp
File opened for modification	C:\Program Files\USB Driver\rs\dpinst32.exe	setup.tmp
File opened for modification	C:\Program Files\USB Driver\rs\dpinst64.exe	setup.tmp
File created	C:\Program Files\USB Driver\unins000.dat	setup.tmp
File created	C:\Program Files\USB Driver\is-6J0II.tmp	setup.tmp
File created	C:\PROGRA~1\DIFX\4A7292F75FEBBD3C\dpinst64.exe	dpinst64.exe
File opened for modification	C:\Program Files\USB Driver\220\dpinst32.exe	setup.tmp
File opened for modification	C:\Program Files\USB Driver\mde\dpinst32.exe	setup.tmp
File created	C:\Program Files\USB Driver\220\is-OU2L3.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\x64\is-B5L11.tmp	setup.tmp
File opened for modification	C:\Program Files\USB Driver\unins000.dat	setup.tmp
File created	C:\Program Files\USB Driver\is-PG0MK.tmp	setup.tmp
File created	C:\Program Files\USB Driver\is-RV8CH.tmp	setup.tmp
File created	C:\Program Files\USB Driver\220\is-GEU43.tmp	setup.tmp
File created	C:\Program Files\USB Driver\mde\is-DO72D.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-TEF5G.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-FJ77D.tmp	setup.tmp
File created	C:\PROGRA~1\DIFX\971A4E1D800C3CF3\dpinst64.exe	dpinst64.exe
File opened for modification	C:\Program Files\USB Driver\220\dpinst64.exe	setup.tmp
File opened for modification	C:\Program Files\USB Driver\mde\dpinst64.exe	setup.tmp
File created	C:\Program Files\USB Driver\mde\is-N4TI9.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-9DQAO.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\x64\is-GCEHL.tmp	setup.tmp
File opened for modification	C:\Program Files\USB Driver\rs\x64\WdfCoInstaller01009.dll	setup.tmp
File created	C:\Program Files\USB Driver\220\is-551LK.tmp	setup.tmp
File created	C:\Program Files\USB Driver\mde\is-DAPQ5.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-4RO6T.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-42H99.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\x86\is-O6EHU.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-VLC0V.tmp	setup.tmp
File created	C:\Program Files\USB Driver\rs\is-P54BR.tmp	setup.tmp

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinst64.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinst64.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst32.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst64.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst32.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst32.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst64.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpinst32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpinst32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpinst32.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dpinst64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dpinst64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6EDE999786674E1E62270D9B846954193AA94D4	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6EDE999786674E1E62270D9B846954193AA94D4\Blob = 030000000100000014000000f6ede999786674e1e62270d9b846954193aa94d42000000001000000220200003082021e3082018ba00302010202108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d0500302431223020060355040313194964656e7469536f6674204163636573732053797374656d73301e170d3133303331323130353134355a170d3339313233313233353935395a302431223020060355040313194964656e7469536f6674204163636573732053797374656d7330819f300d06092a864886f70d010101050003818d0030818902818100d0486ee07e54051c933574491729e9bf378fd95e0e4172cb86970e46f6b3acb52860e6e827a28d6132f688bae0497ed1e92a699b223ed4795ce513918917f7b05c02f0cbc9efc00eb8f10f48cbd256aaa5e265533b1cb53d6bc16d4242aad15c185605643ec57fc195f2cf641fd1971873f1a8d0dd0554ab978ae089235715950203010001a359305730550603551d01044e304c80101b17c2a73f5611defddd79d5f5812b5fa126302431223020060355040313194964656e7469536f6674204163636573732053797374656d7382108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d050003818100333b23cafb3201e6c8b93b77de14aceeb113bae20e01debc9efa48261df30989310e446d24d36d687d44f8f0f9e12041dc1caee139c899188aaf23753fdc6f4961ce12b4d9e77d97791374a2cd0a2d64305210a5833414dacda0393f43764cd2a6244216a7a21beeae7d5e0dd2efedd8b4c07545ce52426860e521777a1b4c4d	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F6EDE999786674E1E62270D9B846954193AA94D4	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F6EDE999786674E1E62270D9B846954193AA94D4\Blob = 030000000100000014000000f6ede999786674e1e62270d9b846954193aa94d42000000001000000220200003082021e3082018ba00302010202108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d0500302431223020060355040313194964656e7469536f6674204163636573732053797374656d73301e170d3133303331323130353134355a170d3339313233313233353935395a302431223020060355040313194964656e7469536f6674204163636573732053797374656d7330819f300d06092a864886f70d010101050003818d0030818902818100d0486ee07e54051c933574491729e9bf378fd95e0e4172cb86970e46f6b3acb52860e6e827a28d6132f688bae0497ed1e92a699b223ed4795ce513918917f7b05c02f0cbc9efc00eb8f10f48cbd256aaa5e265533b1cb53d6bc16d4242aad15c185605643ec57fc195f2cf641fd1971873f1a8d0dd0554ab978ae089235715950203010001a359305730550603551d01044e304c80101b17c2a73f5611defddd79d5f5812b5fa126302431223020060355040313194964656e7469536f6674204163636573732053797374656d7382108e79d832d43cdabc4fee5fe31a1ca81f300906052b0e03021d050003818100333b23cafb3201e6c8b93b77de14aceeb113bae20e01debc9efa48261df30989310e446d24d36d687d44f8f0f9e12041dc1caee139c899188aaf23753fdc6f4961ce12b4d9e77d97791374a2cd0a2d64305210a5833414dacda0393f43764cd2a6244216a7a21beeae7d5e0dd2efedd8b4c07545ce52426860e521777a1b4c4d	certmgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
392	setup.tmp
392	setup.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	4580	svchost.exe
Token: SeSecurityPrivilege	4580	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
392	setup.tmp

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 392	1708	setup.exe	85
PID 1708 wrote to memory of 392	1708	setup.exe	85
PID 1708 wrote to memory of 392	1708	setup.exe	85
PID 392 wrote to memory of 2944	392	setup.tmp	92
PID 392 wrote to memory of 2944	392	setup.tmp	92
PID 392 wrote to memory of 2944	392	setup.tmp	92
PID 392 wrote to memory of 3896	392	setup.tmp	94
PID 392 wrote to memory of 3896	392	setup.tmp	94
PID 392 wrote to memory of 3896	392	setup.tmp	94
PID 392 wrote to memory of 3412	392	setup.tmp	96
PID 392 wrote to memory of 3412	392	setup.tmp	96
PID 392 wrote to memory of 3412	392	setup.tmp	96
PID 392 wrote to memory of 4772	392	setup.tmp	98
PID 392 wrote to memory of 4772	392	setup.tmp	98
PID 4580 wrote to memory of 2904	4580	svchost.exe	100
PID 4580 wrote to memory of 2904	4580	svchost.exe	100
PID 392 wrote to memory of 4592	392	setup.tmp	101
PID 392 wrote to memory of 4592	392	setup.tmp	101
PID 392 wrote to memory of 4592	392	setup.tmp	101
PID 392 wrote to memory of 2428	392	setup.tmp	102
PID 392 wrote to memory of 2428	392	setup.tmp	102
PID 4580 wrote to memory of 2724	4580	svchost.exe	103
PID 4580 wrote to memory of 2724	4580	svchost.exe	103
PID 392 wrote to memory of 4184	392	setup.tmp	104
PID 392 wrote to memory of 4184	392	setup.tmp	104
PID 392 wrote to memory of 4184	392	setup.tmp	104
PID 392 wrote to memory of 2884	392	setup.tmp	105
PID 392 wrote to memory of 2884	392	setup.tmp	105
PID 4580 wrote to memory of 3164	4580	svchost.exe	106
PID 4580 wrote to memory of 3164	4580	svchost.exe	106
PID 4580 wrote to memory of 2452	4580	svchost.exe	107
PID 4580 wrote to memory of 2452	4580	svchost.exe	107

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\is-IE6KT.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IE6KT.tmp\setup.tmp" /SL5="$D0040,3626746,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Program Files\USB Driver\certmgr.exe
    "C:\Program Files\USB Driver\certmgr" -add -c IdentiSoft.cer -s -r LocalMachine root
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2944
- - C:\Program Files\USB Driver\certmgr.exe
    "C:\Program Files\USB Driver\certmgr" -add -c IdentiSoft.cer -s -r LocalMachine TrustedPublisher
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:3896
- - C:\Program Files\USB Driver\220\dpinst32.exe
    "C:\Program Files\USB Driver\220\dpinst32.exe" /q /sw /se
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3412
- - C:\Program Files\USB Driver\220\dpinst64.exe
    "C:\Program Files\USB Driver\220\dpinst64.exe" /q /sw /se
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:4772
- - C:\Program Files\USB Driver\mde\dpinst32.exe
    "C:\Program Files\USB Driver\mde\dpinst32.exe" /q /sw /se
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\Program Files\USB Driver\mde\dpinst64.exe
    "C:\Program Files\USB Driver\mde\dpinst64.exe" /q /sw /se
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:2428
- - C:\Program Files\USB Driver\rs\dpinst32.exe
    "C:\Program Files\USB Driver\rs\dpinst32.exe" /q /sw /se
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4184
- - C:\Program Files\USB Driver\rs\dpinst64.exe
    "C:\Program Files\USB Driver\rs\dpinst64.exe" /q /sw /se
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{3aae028d-df00-9d44-8fbb-442d24331b52}\220.inf" "9" "4d06a02e3" "0000000000000160" "WinSta0\Default" "00000000000000F8" "208" "c:\program files\usb driver\220"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{6195a052-f152-a54b-9813-bb098748a397}\mde.inf" "9" "419ff4dc7" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files\usb driver\mde"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2724
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{f001d437-01e5-fd47-90fd-bc4b0365d70f}\slabvcp.inf" "9" "473072c4b" "00000000000000F8" "WinSta0\Default" "0000000000000140" "208" "c:\program files\usb driver\rs"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3164
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{14341cc7-a6ef-3f45-a4a1-f36ea250169f}\vcp.inf" "9" "4524eea03" "0000000000000140" "WinSta0\Default" "00000000000000FC" "208" "c:\program files\usb driver\rs"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\USB Driver\220\dpinst32.exe

Filesize
900KB

MD5
30a0afee4aea59772db6434f1c0511ab

SHA1
5d5c2d9b7736e018d2b36963e834d1aa0e32af09

SHA256
d84149976bc94a21b21aa0bc99fcbdee9d1ad4f3387d8b62b90f805ac300ba05

SHA512
5e8a85e2d028ad351be255ae2c39bb518a10a4a467fd656e2472286fee504eed87afe7d4a728d7f8bc4261245c1db8577deeee2388f39eb7ee48298e37949f53

Download Submit
C:\Program Files\USB Driver\220\dpinst64.exe

Filesize
1.0MB

MD5
be3c79033fa8302002d9d3a6752f2263

SHA1
a01147731f2e500282eca5ece149bcc5423b59d6

SHA256
181bf85d3b5900ff8abed34bc415afc37fc322d9d7702e14d144f96a908f5cab

SHA512
77097f220cc6d22112b314d3e42b6eedb9ccd72beb655b34656326c2c63fb9209977ddac20e9c53c4ec7ccc8ea6910f400f050f4b0cb98c9f42f89617965aaea

Download Submit
C:\Program Files\USB Driver\IdentiSoft.cer

Filesize
546B

MD5
ca36b2df4b94bc3c068478b3623ed4f4

SHA1
f6ede999786674e1e62270d9b846954193aa94d4

SHA256
b911d6e1125ba83a65b6997c153fbe0c7e5eb0583163fac32ca84a1966ccb772

SHA512
b67a42780f0c82a085c0c3e20ee762e001401cc64eec07cf4aedbd4b0264d181e517ee7b0f0fa6479890d7758ec983253667db80e32fad22a172c55b14a16c47

Download Submit
C:\Program Files\USB Driver\certmgr.exe

Filesize
77KB

MD5
ec58a1586ad70953d48e3c393163348f

SHA1
f18eebaea4460b057f5b49e8239779f1c0c05bb9

SHA256
a097cc322fa68e1ff500d79598f657d9c211e86e632c3c3b896e566852cea991

SHA512
05615c1ee6aeaf82a1d52e31f18c4174ae4d44e96fcd4466643f01ef431d4ad5022f3b4eb07e9f472ea43b59e8de5f3b5c10328e7109dafa4c3f3b9ff41b2da2

Download Submit
C:\Program Files\USB Driver\rs\dpinst.xml

Filesize
10KB

MD5
abbcd6a1f3b30955f67bc7606aa4caa7

SHA1
a90da829e2d7a53d9ddedd1a6f0272f0424a620a

SHA256
244368a3c7fb33c3da267e07ac579067928ab421a0ad9dceed85d85d7ad62792

SHA512
cc6fdd9bedd7eda6d7c4e7aa0878343628ab2ef524d42904edc31da629d63b07408ccba20cb1f4dbc8f4c1b691a591b79a12a112c4e33b59c44f500138595bfe

Download Submit
C:\Program Files\USB Driver\rs\dpinst32.exe

Filesize
535KB

MD5
d483181b3111f7cee4e4412e390f54f0

SHA1
de2558d6988bbcbd0053f883f00b237f4fca2d38

SHA256
3664fbe8a5259670bbb5f324331af727e2ccae903d63ec26b1c7a9fe3335c285

SHA512
9d62f0e01a3dc1d27822533ef05cc936ff78872a68e5ad7b69c66ee458ebd9dc9f049dd8a4f49c14e33a8108aa1037c90c609e514c3055587724f0e8eecff544

Download Submit
C:\Program Files\USB Driver\rs\dpinst64.exe

Filesize
657KB

MD5
9ef577951b596e0113cc317b4fdfe81e

SHA1
bb4e8ca436674364dc81b23a4eebd0aef98c3526

SHA256
bb923a0a434896ad2bb3499cebd9a024e7bfc1e27b2d489876609de1af3c7553

SHA512
8d30b0a8d297398bd46345f3f2f659fef74b1f8b036cc3abd1120718bc384dc9c30c85353ce703758b0bbba515fa679c30c32a8c78767fc4b37ef09ca1232b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IE6KT.tmp\setup.tmp

Filesize
689KB

MD5
15430669556c2062ceadd5b125e8cea7

SHA1
276c5f36876a783a01ef10b9df39fa0efe3e296a

SHA256
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168

SHA512
2c2a87d34922d747827a2c77813ebfe9923bdd80cd4be909f8da3c8a4dc3a079c049db74c8bc36edd38663ee4635cdd0fda4f9cd2adc3b40d426066611206f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\{14341cc7-a6ef-3f45-a4a1-f36ea250169f}\vcp.cat

Filesize
6KB

MD5
29e46312c743cd5bb7cbb1831c1993c5

SHA1
326a5d8873cfc078513e13a8a69605e75ce01ced

SHA256
797c14e98657be740b12cfce710a7bbb418f4487178b6bf9ade71f68c2eadb3c

SHA512
f7349662507e5bd880548f43ec65a347bcd0c737f2b9bba12e16df3a3d6bbded4fda3d2f28f3e7cf0b3fe8fd481da085ba39922cb3c303135419cdd78fc788fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3aae028d-df00-9d44-8fbb-442d24331b52}\220.cat

Filesize
4KB

MD5
72730c9ece820d6b0fa78eb3e8a0506c

SHA1
3ad35b2fa156702518f5affb9622daa4b18ea8eb

SHA256
adbcae142ec160ade5d778ef6692a1927aa1cc679be485555873e05fc95e19c8

SHA512
f619f1270c0f5a601a46ae2aa34f99a76fa40ece495794dfc120114f9b8d115f8fc1771b381f0d623f4f7783d9afc49ea37ca61a16fac63a288b462c39b5c933

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F001D~1\x64\silabenm.sys

Filesize
26KB

MD5
7799106fee728b907a86d9c9751e02d5

SHA1
f35320e535159d43b598c7c11684db05be4196a6

SHA256
ee85e8d3cf3819db28221bfc103de8df0e14e1878cecf54e8cd8c161b0e0af3c

SHA512
f91af958adf1b808fc6c30aa7fe9c6cf8c5c2a041327693403d9a12a06e7c5084d203433ba2d0917a3fc1a064626bce89526c5fb4b951f0a4aa07e84d237a99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F001D~1\x64\silabser.sys

Filesize
71KB

MD5
447209c314e6e0d26e01962075802b18

SHA1
dd8af2e3aa38d2d6971568ebf2cf41848e0091f5

SHA256
ab1ac5854eb0edf66025609cf9cb5639014c264327f4dee1223bf7f6e1bd2d15

SHA512
e2f8470c31496d1547cf930dd32805407722f81f6846e4257bf28ce37bf635f8eda07a19e99fcbe10aad939e7912fed4aba098b58cccc66217f2965bf4d10c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f001d437-01e5-fd47-90fd-bc4b0365d70f}\slabvcp.inf

Filesize
4KB

MD5
3334197755fbbeeeb24b819a7288279c

SHA1
d680dee0f68d64ec53d0c5769879d15d387054cc

SHA256
453bfbe522e771db12c4dd0099a3e72f77916708440e7d7bbda429c7bbcb274e

SHA512
35b7a2f269929833f5db8e87217e8ab04a15dcbd4404a1c656ab7735b78784b5736412c78eb69087e7436cff62b0fd567d3b874d9f08ef296d0ea1912a062124

Download Submit
C:\Windows\DPINST.LOG

Filesize
6KB

MD5
d905a5b9b977e14b52cfc5f56be74cc7

SHA1
0b45457125ca420c4277c0c98a2567c5c1b7443f

SHA256
fb4e7ac5fbf5f6742abab0ed6d0405310907e4c5ebb6083c388db383f2957913

SHA512
965d3e6a24d40cc4a4093ccf5c55746150fe57e27f3878bdaed30b6e970bb26df517809e023c34e5342b199da2c881aa2fcd48089a81fb7f3847f2a0f41b533a

Download Submit
C:\Windows\DPINST.LOG

Filesize
8KB

MD5
fb1c271276082adcadd19afba7eb25aa

SHA1
0309a0d7a40712793424b41d6cd31b61f6bab3b6

SHA256
6a78a19c7305abd4b6505990aa64b538d5d581db7709fb4fa87f8194778e195b

SHA512
a8148eab8103e69fe187f71c00a192905fd123190e9f0963b751cbf703c333ed13b8c44b266348ed101cc5db7b0315bbc12c5f3f335f78b38872aa7860670295

Download Submit
C:\Windows\DPINST.LOG

Filesize
12KB

MD5
fbceb66adb8668466021964da7cce3e5

SHA1
14af5ce116eeb06470a1abc698becbe5694649d5

SHA256
06a03c8a2752da3fae147c95159d8122bf53e721e3b85125a3b1522b74d671d5

SHA512
93b0ffcf1f8f03426a4b76e1f926971d6344580abd9040d3652e93488c6223eab68c9b442b415e11cd2220e623b1d42fe446ee8c98f0f177c5f80ca3f67ff376

Download Submit
C:\Windows\DPINST.LOG

Filesize
13KB

MD5
b2d22e401e59eab46f4bb6f9298001b1

SHA1
9c2d8c06d25e6a9d394d9bf5afdef131f4920c79

SHA256
f9a627b9a214919baee587fb3a01a4620e9cb2d64245fb5b62538a2899280e72

SHA512
5f38a835818ce96035dbd0ba09a9d02f57cbcec872ba2951ea067477701a23dd3350b3dfe96bd4958a6d102c84e53ec6ce3930003d989e56312a0de06aca3842

Download Submit
C:\Windows\DPINST.LOG

Filesize
19KB

MD5
7ea8ecb37cf10baffef95346d076c8f1

SHA1
2feb7638ccad28f876f95c3ec832b5b45fc26c3a

SHA256
81a93399187761d30062d4be6d38d2c4c39a3135f4a038c4e706ba03480a60fe

SHA512
1e01b1ffb8d74a05d15738eb740c9f936d51dbfc522782a8da4a3be60de1f921184208a62dd25f2934fb529e99cf8df5061677f111c11d8a3aa903efae8b8ace

Download Submit
C:\Windows\DPINST.LOG

Filesize
2KB

MD5
5c7378c73ad6816b03ed275f056783c7

SHA1
307ed1c633cb28f9484fe734a8ecc1e969ede933

SHA256
6bd1eeddca89f9c095bdd440ccb195077a7ca31fdf8e2a343d64e64d4bebd4d9

SHA512
ea36579af760c06dc8c78555b8b32e7c136a5c4dc7a84fe2dbe1ad6a8fd857cc02925daa1041e48e0bd71f5f5aeca6fa5ac0f8884e0d6d4f756423b74ad40305

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
cea2853944d0b6e598d40899851227c1

SHA1
395f3cb0e0a81fe1a10a5030eb88a2ad9f7b8ad5

SHA256
ff429a29eb462f0bceafe0c5ccc9a7cf1b7c81ba880b4c2834a0e857dd899b4c

SHA512
8dc5940cb4e3f4afe1f93035e1f65d2d7c94552a47a824f29c29f0ebb1c4ed406326253f61ddc7ee269ebe39a23618e6eae6f02760e0c0804f20b0bc42b39733

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
08adf40740cf474be51dd4af4fee0161

SHA1
c77844467715985a2ba75da3f1b721aff341ef73

SHA256
e2fd42e8a4dc84ddd90f9733236a14fa3b105e2771bf5439531e738d8aef0688

SHA512
8d393c9f787283f098a27afd854a43d6264d33b36128df12f0585f8193ba7c8514f7e45e54e8ce8d67affe1a5f35a1c751cbb1274934f50bc9ff5c3c894f38ac

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
fad75475bb6a11ed84942f06e83af5f6

SHA1
94840f0132340b9c9641364acedd3322facbb061

SHA256
47133c9156b82adf1ff4fd75ac1abd0be10f3c8eba5061987e6f23a31e1047c5

SHA512
66ce45e68c4db35a528615a2a0760a285dd6979f3bf29b8368265936a1ec3c6c95bbca94304c9210a56a50e5a8414c4a0f6f9960a3a06b0e526b3bec7399f80d

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
2b8157fc5938408cc0ac4202d39ab58e

SHA1
490da152d75f74005c7fb1bf388af954dd386c82

SHA256
4358b7865503eb2394ea9a0ad5cf0d547562b82fcb863cf28da734e918d3364a

SHA512
c6fda056a16ccee69e4047dbc75fa5c0a081cdbaa7e4191269780f5db1dccffa957324a44ca46a7c636e291751264fafe35df85b3c54c9b61a77b3f4e42fb9be

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
de42d16bb9c8d776b0a4e13d296ba157

SHA1
8f956def608063db9da645eb9eaa61b4bedebc2e

SHA256
26ddb7ff76753394418cde021f1f231959a6e0fdf90fa080f6f9ab294099d91c

SHA512
449fd2eee73b704b74e20db6435e21d80613820bc67d3834e3ac246331ac4c96498ce5c1ddbb1efeaa88d5a73bc64837cf614a12d3537654fdceca9a33317db0

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
6e53c9991ecbd5aef6f7638529b94b4c

SHA1
e9a78db879a199431f8e6d2d1b064e26301e711b

SHA256
36b7560899abf2e63db9478406fdae6ac5c1617254efb732adc1bff609282edb

SHA512
dbfdacc6aef24321d4a8f732989e29228e602902c87f3f044717bd6dad1811c9531c6f7ed8b0e3714adead371bd518cf7044e40fdd81f25cedba2dd1c9d1f0a8

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
19KB

MD5
7681cac5b961d59e1ee6f9b93092b889

SHA1
f0e81a0a7d13fef1892b3ead175389281928d526

SHA256
dbb9aea2e5501fdd16818c587346b7e69ae652dd4c7d3958716f19cd181017b3

SHA512
f692ed832966bdac5ee9e75718d96b90b552b0d94f52aebbe73d9e50c1a6dc8ed40ff389a9094d6269f061f06aff5a97cac4a0095e5ea3af6d7a34b1990ad7b5

Download Submit
\??\c:\PROGRA~1\USBDRI~1\mde\mde.cat

Filesize
4KB

MD5
edbf6e0aecb7fc32fe7705dbaa75f654

SHA1
43e58328342cbf822ecea0c8abaafafdbc0f33de

SHA256
da724ac14b3a92bb5fa532de6625fe8bf41d935fedbc9927dc8fa730fb711f62

SHA512
5dd792664b4f17c0ed27fda9dc5073c5f73a68de2a91c5d26fa068c8870b55065caf35e76226d7885af2b27ba6b6dacb669dae460b9768d09a3351df5accd0d0

Download Submit
\??\c:\PROGRA~1\USBDRI~1\rs\slabvcp.cat

Filesize
10KB

MD5
d1b527f83fced2a644fb7c99f8068547

SHA1
ff9526c4d1a623cbd079ed8287bbd2a60871e281

SHA256
e1e39974fd56e36204ab94693324019da45bea4816cc675ce45741cec63a143b

SHA512
39f624e3da7194a159056e9afa3d4cce8aa914f25a5d3047bea67617e5f6646d3d6ece9a35ac23fc782d0c62f470e99c930f68d44a6718d06885c3d0997b1275

Download Submit
\??\c:\PROGRA~1\USBDRI~1\rs\x64\WdfCoinstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
\??\c:\program files\usb driver\220\220.inf

Filesize
1KB

MD5
a48d3b0a68576396a8b06d3fe0e25d07

SHA1
18bb7d47de1bfd6452707fddd1b244e58d557c91

SHA256
acce9546ef61f0c441a4e9c3fbd04c8adb428234110df4d6fdaa3dbb9067f0fe

SHA512
26db87963ff1fe311c262c0296efdc93a1d69df6c4ff4ab38ebf188525030873172c1e8e8a678176c20b797ef8651a73a79945132e4f74cb44cd7e376966e881

Download Submit
\??\c:\program files\usb driver\mde\mde.inf

Filesize
1KB

MD5
b1ef97fa30cbd2f944b338970d7fcecc

SHA1
24d3fb8a486f5c74c843b7e30f8c6332ccf69cf3

SHA256
8b7df1303d5c387b79ea4710c13f651ba73290f078b7e4f49bfcb743d06ac7fe

SHA512
c7d14c1916b5b91d2f9de30f1696f6a291208f91f09b7bf2f3e9a5deb9cea30987f037db3ca61e668120a138cdabb5d7c4796c8e3d066244f23981ae4b37f961

Download Submit
\??\c:\program files\usb driver\rs\vcp.inf

Filesize
3KB

MD5
66470dacd27545813f08ff0c0b20cbc2

SHA1
27b2ba7de89e1e382d0dd0ae41a908d6b981624d

SHA256
cdeaa2881287aa3cda89d657cbebbbea0346697a4b22d13d1f4450e43897e92f

SHA512
47bc8140b2ca23706b51b649ef18fb134b586df976f67e511e5b3a4efa063a44c27afc00710f1033c67b067784af6246ae586e097b241094c96413caab1a0b08

Download Submit
memory/392-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/392-407-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/392-410-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1708-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1708-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-405-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-411-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download