a25164a9205a1919fdc85976f6838bd52de858692e885244518d20a5a880fae7

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
Size

6.4MB
MD5

58bacc0d97258aadf00f1c32beeac8a3
SHA1

b90c0b1b72fb573d74c9996b4b6a0cfc1699a066
SHA256

a25164a9205a1919fdc85976f6838bd52de858692e885244518d20a5a880fae7
SHA512

0644995ffa4f9f2965edba8b0ddc9e3d8d6a517046cc6e95c852e889e3d4d5219fb7270fd6f1ee202cf20a410cf23296377e46e5ffca4be7dba85cf9e0d8ec6d
SSDEEP

196608:YNvMhd5LqFOjkCTIMfjnm22IDsDEmufqDFe3S4HtiYzlDA:YNvMhfLqFOjkyfzmJIYa0Otpq

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\UMDF\VirtualExtendedDisplay.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SETD716.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\UMDF\SETD716.tmp	DrvInst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Auto_Agent_WirelessMediaC3 = "C:\\Users\\Admin\\AppData\\Local\\WirelessMedia\\WirelessMediaAutoServiceC3.exe"	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\Q:	WirelessMediaMain.exe
File opened (read-only)	\??\Z:	WirelessMediaMain.exe
File opened (read-only)	\??\O:	WirelessMediaMain.exe
File opened (read-only)	\??\V:	WirelessMediaMain.exe
File opened (read-only)	\??\Y:	WirelessMediaMain.exe
File opened (read-only)	\??\O:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\R:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\T:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\N:	WirelessMediaMain.exe
File opened (read-only)	\??\L:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\W:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\X:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\J:	WirelessMediaMain.exe
File opened (read-only)	\??\E:	WirelessMediaMain.exe
File opened (read-only)	\??\T:	WirelessMediaMain.exe
File opened (read-only)	\??\U:	WirelessMediaMain.exe
File opened (read-only)	\??\K:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\H:	WirelessMediaMain.exe
File opened (read-only)	\??\I:	WirelessMediaMain.exe
File opened (read-only)	\??\L:	WirelessMediaMain.exe
File opened (read-only)	\??\N:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\P:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\S:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\P:	WirelessMediaMain.exe
File opened (read-only)	\??\E:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\G:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\H:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\I:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\S:	WirelessMediaMain.exe
File opened (read-only)	\??\Z:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\K:	WirelessMediaMain.exe
File opened (read-only)	\??\R:	WirelessMediaMain.exe
File opened (read-only)	\??\W:	WirelessMediaMain.exe
File opened (read-only)	\??\J:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\M:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\Q:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\Y:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\X:	WirelessMediaMain.exe
File opened (read-only)	\??\V:	WirelessMediaAutoServiceC3.exe
File opened (read-only)	\??\G:	WirelessMediaMain.exe
File opened (read-only)	\??\M:	WirelessMediaMain.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WirelessMediaMain.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\SETD514.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\virtualextendeddisplay.inf_amd64_52cd13b9f93311e3\virtualextendeddisplay.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\SETD514.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\VirtualExtendedDisplay.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\SETD515.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\virtualextendeddisplay.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\virtualextendeddisplay.inf_amd64_52cd13b9f93311e3\VirtualExtendedDisplay.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\SETD503.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\SETD515.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\virtualextendeddisplay.inf_amd64_52cd13b9f93311e3\VirtualExtendedDisplay.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\virtualextendeddisplay.inf_amd64_52cd13b9f93311e3\virtualextendeddisplay.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\SETD503.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}\VirtualExtendedDisplay.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{dcb4fdc0-375b-a447-a4df-816e583efafd}	DrvInst.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2428-0-0x00000000000C0000-0x0000000000E8E000-memory.dmp	upx
behavioral2/memory/2428-23-0x00000000000C0000-0x0000000000E8E000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\VirtualExtendedDisplay\x86\is-F8NF5.tmp	ExtendedDesktop.tmp
File opened for modification	C:\Program Files\VirtualExtendedDisplay\unins000.dat	ExtendedDesktop.tmp
File opened for modification	C:\Program Files\VirtualExtendedDisplay\x64\VirtualExtendedDisplay.dll	ExtendedDesktop.tmp
File opened for modification	C:\Program Files\VirtualExtendedDisplay\x64\devcon.exe	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x64\is-5SJAK.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x64\is-L3011.tmp	ExtendedDesktop.tmp
File opened for modification	C:\Program Files\VirtualExtendedDisplay\WMWSetupTool.dll	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\unins000.dat	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\is-QKO6T.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\is-HFSEC.tmp	ExtendedDesktop.tmp
File opened for modification	C:\Program Files\VirtualExtendedDisplay\x86\devcon.exe	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x86\is-INOCF.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x86\is-OJ7PV.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x86\is-828KP.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x64\is-BV19D.tmp	ExtendedDesktop.tmp
File opened for modification	C:\Program Files\VirtualExtendedDisplay\x86\VirtualExtendedDisplay.dll	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\is-9QFO9.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\is-CTMP1.tmp	ExtendedDesktop.tmp
File created	C:\Program Files\VirtualExtendedDisplay\x64\is-QL8RJ.tmp	ExtendedDesktop.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 6 IoCs

pid	Process
2120	WirelessMediaAutoServiceC3.exe
4404	WirelessMediaMain.exe
4140	ExtendedDesktop.exe
1856	ExtendedDesktop.tmp
1428	devcon.exe
3400	devcon.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	ExtendedDesktop.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WirelessMediaAutoServiceC3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WirelessMediaMain.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtendedDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtendedDesktop.tmp

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	devcon.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1856	ExtendedDesktop.tmp
1856	ExtendedDesktop.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid
4

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeAuditPrivilege	4732	svchost.exe
Token: SeSecurityPrivilege	4732	svchost.exe
Token: SeLoadDriverPrivilege	3400	devcon.exe
Token: SeRestorePrivilege	756	DrvInst.exe
Token: SeBackupPrivilege	756	DrvInst.exe
Token: SeLoadDriverPrivilege	756	DrvInst.exe
Token: SeLoadDriverPrivilege	756	DrvInst.exe
Token: SeLoadDriverPrivilege	756	DrvInst.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4404	WirelessMediaMain.exe
4404	WirelessMediaMain.exe
1856	ExtendedDesktop.tmp

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4404	WirelessMediaMain.exe
4404	WirelessMediaMain.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4404	WirelessMediaMain.exe
4404	WirelessMediaMain.exe
4404	WirelessMediaMain.exe
4404	WirelessMediaMain.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2120	2428	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	83
PID 2428 wrote to memory of 2120	2428	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	83
PID 2428 wrote to memory of 2120	2428	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	83
PID 2428 wrote to memory of 4404	2428	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	85
PID 2428 wrote to memory of 4404	2428	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	85
PID 2428 wrote to memory of 4404	2428	b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe	85
PID 4404 wrote to memory of 4140	4404	WirelessMediaMain.exe	99
PID 4404 wrote to memory of 4140	4404	WirelessMediaMain.exe	99
PID 4404 wrote to memory of 4140	4404	WirelessMediaMain.exe	99
PID 4140 wrote to memory of 1856	4140	ExtendedDesktop.exe	100
PID 4140 wrote to memory of 1856	4140	ExtendedDesktop.exe	100
PID 4140 wrote to memory of 1856	4140	ExtendedDesktop.exe	100
PID 1856 wrote to memory of 3588	1856	ExtendedDesktop.tmp	101
PID 1856 wrote to memory of 3588	1856	ExtendedDesktop.tmp	101
PID 3588 wrote to memory of 3580	3588	cmd.exe	103
PID 3588 wrote to memory of 3580	3588	cmd.exe	103
PID 3588 wrote to memory of 1428	3588	cmd.exe	104
PID 3588 wrote to memory of 1428	3588	cmd.exe	104
PID 3588 wrote to memory of 3400	3588	cmd.exe	105
PID 3588 wrote to memory of 3400	3588	cmd.exe	105
PID 4732 wrote to memory of 5076	4732	svchost.exe	107
PID 4732 wrote to memory of 5076	4732	svchost.exe	107
PID 4732 wrote to memory of 756	4732	svchost.exe	109
PID 4732 wrote to memory of 756	4732	svchost.exe	109

C:\Users\Admin\AppData\Local\Temp\b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe
"C:\Users\Admin\AppData\Local\Temp\b90c0b1b72fb573d74c9996b4b6a0cfc1699a066.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe
  "C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaMain.exe
  "C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaMain.exe"
  2⤵
  - Enumerates connected drives
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\WirelessMedia\ExtendedDesktop.exe
    "C:\Users\Admin\AppData\Local\WirelessMedia\ExtendedDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\is-Q1I9E.tmp\ExtendedDesktop.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q1I9E.tmp\ExtendedDesktop.tmp" /SL5="$4026A,338260,121344,C:\Users\Admin\AppData\Local\WirelessMedia\ExtendedDesktop.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\VirtualExtendedDisplay\install.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        6⤵
        
        PID:3580
      - C:\Program Files\VirtualExtendedDisplay\x64\devcon.exe
        
        "C:\Program Files\VirtualExtendedDisplay\x64\devcon.exe" -r remove "hid\vid_2E90&pid_0052"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:1428
      - C:\Program Files\VirtualExtendedDisplay\x64\devcon.exe
        
        "C:\Program Files\VirtualExtendedDisplay\x64\devcon.exe" -r install "C:\Program Files\VirtualExtendedDisplay\x64\VirtualExtendedDisplay.inf" "hid\vid_2E90&pid_0052"
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e38202b6-aa82-3845-a476-3bcfc71d2de8}\virtualextendeddisplay.inf" "9" "40d44b15b" "0000000000000134" "WinSta0\Default" "0000000000000158" "208" "c:\program files\virtualextendeddisplay\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5076
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\USB\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce8840c48fa1f:MyDevice_Install:11.49.9.809:hid\vid_2e90&pid_0052," "40d44b15b" "0000000000000154"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VirtualExtendedDisplay\install.bat

Filesize
780B

MD5
9b0ba14ce155f1202bfa35d86406e3fc

SHA1
e3b2244016785dac3c6b44dfb160230e6afb270c

SHA256
77bf91fc6146b299b247267a088fdf9d59d864b8b28f87d0ca2869b904736002

SHA512
ca273826997113d8669227420ef0c18fcf2aeb4dd3fb70c80831be2819863b9776a8e3192ad84e1acd292d05a9192303c4ec0fdc25a713843611c92d69e55715

Download Submit
C:\Program Files\VirtualExtendedDisplay\x64\VirtualExtendedDisplay.inf

Filesize
4KB

MD5
a699ce3d5614a22bad8ee534405e9e3c

SHA1
8b804b5be2fd0d50b41032616fb8fea27f14cdf1

SHA256
9f82fe14f90a98c2587104171a3249f0379efc18458e37b6379c4269b8eb4910

SHA512
39e46e159857ae885faf34c2873dcabb75e8f66a083a0e3696b247e57e8c6dd79575b6d5636190a2c2b28435b10a2c33b65571f190725a4044eb4a73a013caf5

Download Submit
C:\Program Files\VirtualExtendedDisplay\x64\devcon.exe

Filesize
89KB

MD5
515be82b8fb3b645a667e0f513cc56e1

SHA1
ccecb9835543eb34a7fcc54cbf5a47ad811f4706

SHA256
810081b7f455e2005c660c5870a5f9f9a05ae9216a0cc46e8fce99e2206fabf2

SHA512
5d0bac84bfb6f88bb758a46c4cfc43dc6df67b033eb25e8293cd382221617033d4dc6fc620f44f1de4ed3ef8c62ee76a04597c4cfaaa1a6c764d117e068d3339

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JINU9.tmp\WMWSetupTool.dll

Filesize
84KB

MD5
1c638add00e6fbbed652b37a309e1fb4

SHA1
e31ce108adfbcf7281bd93136732cee4d508a5ad

SHA256
392529d0ba29a894fc976e2551adef6f77c4d45ba2e5f537163a26ebf972da3f

SHA512
ebd194dbb242d3d19f749b817af22cbdd85b1fd4c703b8971fb83f2ae2b1fc66d6663e1f4d3d6264cdb9be4f9b6b95a5e1de79b21e8f042574b149850e053186

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q1I9E.tmp\ExtendedDesktop.tmp

Filesize
1.1MB

MD5
49236a4bca74531332ee6a230b117ab4

SHA1
4c5f6b4337b34844f61c003e2e3549dce6d280c7

SHA256
263b5b39b4c8adc1b020932bcbad5251db9528689e5edb468fab457f6e169aec

SHA512
788ca4dd54f93df6e8492617e0b82dff23d2d2070defd64b3b802ebed20d9d66d8e26497eba408f9076219f028da14ada04d534127b88e97eb26cde90b6dfdd9

Download Submit
C:\Users\Admin\AppData\Local\WirelessMedia\ExtendedDesktop.exe

Filesize
768KB

MD5
38056350ea79e7046c80fc2b5c3474ac

SHA1
fe9db0775feec0660b92c5a09cb3ddb62db6b49e

SHA256
a7ad0bef8a995ede80e218c98287c0da21211e3c41eef776b6ffa446dd89da34

SHA512
2b9786538a16e5f0ba4e0fb63bf3ac68c1b38132ed601e331214c360b54d3efbc6094a4d76bc71665500162ede5027401993c4ffeafd59cfb7201cdf727d65c4

Download Submit
C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaAutoServiceC3.exe

Filesize
1.6MB

MD5
2c5a699f1baaddcd659e226586ce5eca

SHA1
60b54b1254d2e2b4c57c49b0a06945d13aec1b36

SHA256
ce1406795d923f43c9309904e5dcd9cbadf9d9f1f26413333b920713b01523f6

SHA512
de62caad872938a7add5e513b86b9b5e143272c711d8632c30ad8718a23115e2349e2ae94abdfd72196c30552a99852d34d54cb1e35b93e855a1d425bcbf1538

Download Submit
C:\Users\Admin\AppData\Local\WirelessMedia\WirelessMediaMain.exe

Filesize
11.9MB

MD5
ddc8d3302600895ee667fa990770793e

SHA1
a95202ba7a2af7b375cbd73d88a7add665a005a0

SHA256
4139e95be8e6294a57f746112ca14553ab9913893cfefbfa95ac2f5ccbf40b9a

SHA512
24f64b50f1bed05d0c80e3d6bacc0c537a6e5d83fc4ec5c63cdbd69e0b286f680eb4b0b2e548d753ff2ec9f00bd48064e4cc69e8b31d06f94d3078f72fbff38d

Download Submit
\??\c:\PROGRA~1\VIRTUA~1\x64\VirtualExtendedDisplay.dll

Filesize
132KB

MD5
4c72e760afb8e5f5b369d48ef1a87fbe

SHA1
a6e5b9bcf2288e4922e311133f61fd8dd0b29fb3

SHA256
e326dd653336ba4aa0fdb9327bc35c8937c0ee8158c4c03abad04625fa6a4eea

SHA512
be099ab1b89c8f607baf755e79233811381efec741038d81dd6bfe0e5d89ee707f892aba40596f1557f4eb25c8ae316a894a42cc5c5155dc33a9a82ad8154331

Download Submit
\??\c:\program files\virtualextendeddisplay\x64\VirtualExtendedDisplay.cat

Filesize
8KB

MD5
67d6cabaa00b8b84f530a869152b7abb

SHA1
6fbea6ddc8507be13bceabffbbe37e949fc8bc34

SHA256
6f3da6f24b2b10322c91be6d85f6360c2700ac03844f2930e01f082268f224a0

SHA512
41347193b041f87c796665960afda48aa797fafa1b072f3d1dd7e34d6efa5f04bf7e128e1fd61a92324da64cc792db387597ce2e8cf81633d6704a9d9f198164

Download Submit
memory/1856-148-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2428-0-0x00000000000C0000-0x0000000000E8E000-memory.dmp

Filesize
13.8MB

Download
memory/2428-23-0x00000000000C0000-0x0000000000E8E000-memory.dmp

Filesize
13.8MB

Download
memory/4140-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-149-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download