Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe
Resource
win7-20240903-en
windows7-x64
30 signatures
120 seconds
Behavioral task
behavioral2
Sample
d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
32 signatures
120 seconds
General
-
Target
d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe
-
Size
988KB
-
MD5
2424d3853276ebb2806eba14c980ba80
-
SHA1
a139309ed88df20cdf219638b52ed4200fc89edf
-
SHA256
d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384
-
SHA512
2f9fbf30dec895fce59fd1c0153811454e6e5eb9a91408c7801d5558ada26dd574a5542184eb304bbb7222c80e641c08f0cd3b7a5013e9e619848eeeb538cae5
-
SSDEEP
24576:0TOpUNCzaEDGSsuGxAFlLvKx1L8Mn3ru5gI33XmPSZftzrAp30TxS:03NCzHM2M1L8MniF3HftQF0To
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SETF50E.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETF50E.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\BazisVirtualCDBus.sys DrvInst.exe -
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\63D7DF05D30F33DEC7254DCDA6A194CC8E2FADAC\Blob = 03000000010000001400000063d7df05d30f33dec7254dcda6a194cc8e2fadac040000000100000010000000b081854341444ad0255655412728972319000000010000001000000008cc2ce196d09e273581bd79e3bf11e314000000010000001400000007bdc8aa183ab697ce9febc65418747ca4fa9f310f0000000100000014000000f3a743e5aab3196e52c09bc398882be8006f0485200000000100000099050000308205953082047da00302010202101734aa23f6c88b7f2e7fc68f7118423e300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3131303830383030303030305a170d3132303830373233353935395a3081d8310b3009060355040613024445311830160603550408130f526865696e6c616e642d5066616c7a311730150603550407130e4b6169736572736c61757465726e312a3028060355040a142153797370726f6773205547202868616674756e677362657363687261656e6b7429313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312a30280603550403142153797370726f6773205547202868616674756e677362657363687261656e6b742930820122300d06092a864886f70d01010105000382010f003082010a0282010100a41f252d27f1a24b0222bfb77205c7b0c55079a647c4b5ccaf7a7e603ba13bf40d0dac603ff4706209016c4d945331f3057f648447fdb2e330b91eb7595849cecbc79850b5096bc6b37b3df8135a817aec236c0f0c2ef5675902581450c0b25d92b3c9979ede5cc8aff7aeb2008910b8bbbead4b4cb04bc37e80878e92d07d8b932dd559e8feb4dc038884a56f836d9c45c0574128af479f884f3cc69f23909a3d8354167e35360ef5d37b5ab4552b159936aeaed4e0d30b7ad33895d21f3da8cd3468a8908727d0d80f545ca224e0f809d8e313823da9b067e16995e6af7134ebd01777f2a1cffb1b2cbd357b8d44fef096933f9b74b9c40ead9d89464f81cf0203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100a8b7b4e18c168934ff9521e5343ec4741341b541f567f8e668b4c1631e4a5be6aae6f4044b4f5659ab46abc4623fa78f44f26b653e39412c490783ea0ec20ac84c9ad76fd727d4873d49e90a86248c1e594aee7dcb16214dc7435a87278b03eb90add38f5ff7b0e7cb2288beb055bab409aa2853ad2c8b2181817bff1dbd4d61419d12035da7774c15226b474c7f5de36d713f0e86eac88e7e119d4104f572d171ccaf17c519c2cd1a0f87ed9f4751e4040a0588d72241e88d8034e1d9a32d148de3899512fb36041afef46c2cba748fe0d59ba43f4737c43ef21bbd86d7575c68f83e4c8bf88d6e85e06c1eea3609130b9fc294667c0c18902f013cf8c932e7 DrvInst.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation uninstall64.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 6 IoCs
pid Process 1136 WinCDEmu-3.6.exe 4960 uninstall64.exe 244 VirtualAutorunDisabler.exe 2248 VirtualAutorunDisabler.exe 4612 drvinst64.exe 764 vmnt64.exe -
Loads dropped DLL 4 IoCs
pid Process 972 regsvr32.exe 4520 regsvr32.exe 388 regsvr32.exe 2600 regsvr32.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe File opened (read-only) \??\G: d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe File opened (read-only) \??\H: d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe File opened (read-only) \??\I: d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe File opened (read-only) \??\J: d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe File opened (read-only) \??\K: d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\x64\SETE0EA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\BazisVirtualCDBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\x64 DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_a73a927dc5a2a468\bazisvirtualcdbus.PNF drvinst64.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_a73a927dc5a2a468\bazisvirtualcdbus.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\SETE0EB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\SETE0EB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\SETE10B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\SETE10B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\x64\SETE0EA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\bazisvirtualcdbus.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_a73a927dc5a2a468\x64\BazisVirtualCDBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bazisvirtualcdbus.inf_amd64_a73a927dc5a2a468\BazisVirtualCDBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\x64\BazisVirtualCDBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108} DrvInst.exe -
resource yara_rule behavioral2/memory/2236-8-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-9-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-5-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-3-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-4-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-11-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-12-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-13-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-15-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-18-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-21-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/files/0x0007000000023cc3-24.dat upx behavioral2/memory/1136-33-0x0000000000700000-0x000000000078C000-memory.dmp upx behavioral2/memory/2236-32-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-53-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-70-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-165-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-166-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-168-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/2236-170-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/1136-186-0x0000000000700000-0x000000000078C000-memory.dmp upx behavioral2/memory/2236-191-0x00000000023E0000-0x000000000346E000-memory.dmp upx behavioral2/memory/1136-198-0x0000000000700000-0x000000000078C000-memory.dmp upx behavioral2/memory/2236-193-0x00000000023E0000-0x000000000346E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_TW.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\vmnt64.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_lithuanian.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\uninstall.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\vmnt64.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hebrew.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_turkish.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\batchmnt.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\vmnt.exe WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_estonian.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_german.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_bulgarian.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_hebrew.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\uninstall.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_russian.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_japanese.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_norsk.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_english.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_japanese.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_swedish.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x86\BazisVirtualCDBus.sys WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_greek.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_korean.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_portuguese.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_turkish.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\bazisvirtualcdbus.cat WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\x64\BazisVirtualCDBus.sys WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\batchmnt64.exe WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\uninstall64.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dutch.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_french.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_spanish.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_zh_TW.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\batchmnt.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\uninstall64.exe WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_dansk.lng WinCDEmu-3.6.exe File opened for modification C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_polish.lng WinCDEmu-3.6.exe File created C:\Program Files (x86)\WinCDEmu\langfiles\vmnt_romanian.lng WinCDEmu-3.6.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\SYSTEM.INI d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe File opened for modification C:\Windows\INF\setupapi.dev.log drvinst64.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinCDEmu-3.6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualAutorunDisabler.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 uninstall64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID uninstall64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID uninstall64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 uninstall64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs drvinst64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID drvinst64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CLSID VirtualAutorunDisabler.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{466A44DC-AD3B-4573-BDC4-0686BBFB7A23}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{918988CF-2AFC-404C-90F2-5443D7A319E7}\ProxyStubClsid32\ = "{E0333ECC-5824-4AD9-8365-CCDD20184674}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.NRG uninstall64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VirtualAutorunDisabler.EXE\AppID = "{6C50E507-74A2-4434-95A6-53563A797FF6}" VirtualAutorunDisabler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ = "IDriveContextMenu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\NumMethods\ = "3" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Interface regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ = "IDriveContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.VCDImgContextMenu.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B77FD653-B196-4B0A-B197-7F8F704E0092} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B77FD653-B196-4B0A-B197-7F8F704E0092}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\ = "CloneCD CD/DVD image" WinCDEmu-3.6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D2243491-B0DF-40CC-9973-9E401631D770}\1.0\0\win64\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\VirtualAutorunDisabler.exe" VirtualAutorunDisabler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B77FD653-B196-4B0A-B197-7F8F704E0092}\1.0\0\win32\ = "C:\\Program Files (x86)\\WinCDEmu\\x86\\WinCDEmuContextMenu.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu.1\CLSID\ = "{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mds WinCDEmu-3.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\shell\open\command WinCDEmu-3.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.IMG uninstall64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CurVer VirtualAutorunDisabler.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{918988CF-2AFC-404C-90F2-5443D7A319E7}\ = "IVCDImgContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\shell\open\command WinCDEmu-3.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Ccd\shell WinCDEmu-3.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\LocalServer32 VirtualAutorunDisabler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,11" WinCDEmu-3.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.IMG uninstall64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\ = "IVirtualAutorunDisablingMonitor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{466A44DC-AD3B-4573-BDC4-0686BBFB7A23} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\CLSID\ = "{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.IsoFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WinCDEmu\\vmnt64.exe\" \"%1\"" WinCDEmu-3.6.exe Key created \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ProxyStubClsid32\ = "{E0333ECC-5824-4AD9-8365-CCDD20184674}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\ = "DriveContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\InprocServer32\ = "C:\\Program Files (x86)\\WinCDEmu\\x64\\WinCDEmuContextMenu.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\VersionIndependentProgID\ = "WinCDEmuContextMenu.VCDImgContextMenu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{466A44DC-AD3B-4573-BDC4-0686BBFB7A23} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57C052A7-AAD7-4230-860D-F6768C8EA59F}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BazisVirtualCD.Mds\ = "Alcohol CD/DVD image" WinCDEmu-3.6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04DDC073-352E-447D-8A83-3E1FD9D41E61}\ProgID\ = "VirtualAutorunDisabler.VirtualAutorun.1" VirtualAutorunDisabler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\VersionIndependentProgID\ = "WinCDEmuContextMenu.DriveContextMenu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu.1\ = "DriveContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCDEmuContextMenu.DriveContextMenu\CLSID\ = "{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D0E37FD2-F675-426F-B09A-2CF37BA46FD5}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0333ECC-5824-4AD9-8365-CCDD20184674}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{466A44DC-AD3B-4573-BDC4-0686BBFB7A23}\ = "IVirtualAutorunDisablingMonitorInternal" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CLSID\ = "{04DDC073-352E-447D-8A83-3E1FD9D41E61}" VirtualAutorunDisabler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualAutorunDisabler.VirtualAutorunDi\CurVer\ = "VirtualAutorunDisabler.VirtualAutorun.1" VirtualAutorunDisabler.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9901FCD-B4DF-43A1-BD5D-6C9F88679497}\InprocServer32 regsvr32.exe -
Modifies system certificate store 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 drvinst64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a drvinst64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a drvinst64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 drvinst64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 drvinst64.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe Token: SeDebugPrivilege 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 792 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 9 PID 2236 wrote to memory of 800 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 10 PID 2236 wrote to memory of 384 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 13 PID 2236 wrote to memory of 2448 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 42 PID 2236 wrote to memory of 2460 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 43 PID 2236 wrote to memory of 2548 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 46 PID 2236 wrote to memory of 3544 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 56 PID 2236 wrote to memory of 3664 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 57 PID 2236 wrote to memory of 3852 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 58 PID 2236 wrote to memory of 3948 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 59 PID 2236 wrote to memory of 4008 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 60 PID 2236 wrote to memory of 3100 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 61 PID 2236 wrote to memory of 4128 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 62 PID 2236 wrote to memory of 4608 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 75 PID 2236 wrote to memory of 4560 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 76 PID 2236 wrote to memory of 5104 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 80 PID 2236 wrote to memory of 4116 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 81 PID 2236 wrote to memory of 516 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 84 PID 2236 wrote to memory of 528 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 85 PID 2236 wrote to memory of 1136 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 86 PID 2236 wrote to memory of 1136 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 86 PID 2236 wrote to memory of 1136 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 86 PID 1136 wrote to memory of 4960 1136 WinCDEmu-3.6.exe 87 PID 1136 wrote to memory of 4960 1136 WinCDEmu-3.6.exe 87 PID 4960 wrote to memory of 244 4960 uninstall64.exe 88 PID 4960 wrote to memory of 244 4960 uninstall64.exe 88 PID 4960 wrote to memory of 244 4960 uninstall64.exe 88 PID 4960 wrote to memory of 3792 4960 uninstall64.exe 89 PID 4960 wrote to memory of 3792 4960 uninstall64.exe 89 PID 4960 wrote to memory of 1032 4960 uninstall64.exe 90 PID 4960 wrote to memory of 1032 4960 uninstall64.exe 90 PID 4960 wrote to memory of 2248 4960 uninstall64.exe 91 PID 4960 wrote to memory of 2248 4960 uninstall64.exe 91 PID 1032 wrote to memory of 972 1032 regsvr32.exe 92 PID 1032 wrote to memory of 972 1032 regsvr32.exe 92 PID 1032 wrote to memory of 972 1032 regsvr32.exe 92 PID 3792 wrote to memory of 4520 3792 regsvr32.exe 93 PID 3792 wrote to memory of 4520 3792 regsvr32.exe 93 PID 3792 wrote to memory of 4520 3792 regsvr32.exe 93 PID 4960 wrote to memory of 2600 4960 uninstall64.exe 94 PID 4960 wrote to memory of 2600 4960 uninstall64.exe 94 PID 4960 wrote to memory of 388 4960 uninstall64.exe 95 PID 4960 wrote to memory of 388 4960 uninstall64.exe 95 PID 1136 wrote to memory of 4612 1136 WinCDEmu-3.6.exe 96 PID 1136 wrote to memory of 4612 1136 WinCDEmu-3.6.exe 96 PID 1116 wrote to memory of 4292 1116 svchost.exe 98 PID 1116 wrote to memory of 4292 1116 svchost.exe 98 PID 4292 wrote to memory of 4440 4292 DrvInst.exe 99 PID 4292 wrote to memory of 4440 4292 DrvInst.exe 99 PID 2236 wrote to memory of 792 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 9 PID 2236 wrote to memory of 800 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 10 PID 2236 wrote to memory of 384 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 13 PID 2236 wrote to memory of 2448 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 42 PID 2236 wrote to memory of 2460 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 43 PID 2236 wrote to memory of 2548 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 46 PID 2236 wrote to memory of 3544 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 56 PID 2236 wrote to memory of 3664 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 57 PID 2236 wrote to memory of 3852 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 58 PID 2236 wrote to memory of 3948 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 59 PID 2236 wrote to memory of 4008 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 60 PID 2236 wrote to memory of 3100 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 61 PID 2236 wrote to memory of 4128 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 62 PID 2236 wrote to memory of 4608 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 75 PID 2236 wrote to memory of 4560 2236 d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe 76 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2460
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2548
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe"C:\Users\Admin\AppData\Local\Temp\d497af7ae3df86a50104beef19265e4045ad7585f0d985328b84e25420866384N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\WinCDEmu-3.6.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\WinCDEmu-3.6.exe" /UNATTENDED3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Program Files (x86)\WinCDEmu\uninstall64.exe"C:\Program Files (x86)\WinCDEmu\uninstall64.exe" /UPDATE4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe"C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisabler.exe" /RegServer5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:244
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll"5⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files (x86)\WinCDEmu\x86\VirtualAutorunDisablerPS.dll"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4520
-
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll"5⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files (x86)\WinCDEmu\x86\WinCDEmuContextMenu.dll"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:972
-
-
-
C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe"C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisabler.exe" /RegServer5⤵
- Executes dropped EXE
- Modifies registry class
PID:2248
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x64\VirtualAutorunDisablerPS.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:2600
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\WinCDEmu\x64\WinCDEmuContextMenu.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:388
-
-
-
C:\Users\Admin\AppData\Local\Temp\ssiCD33.tmp\drvinst64.exeC:\Users\Admin\AppData\Local\Temp\ssiCD33.tmp\drvinst64.exe instroot "root\BazisVirtualCDBus" "C:\Program Files (x86)\WinCDEmu\BazisVirtualCDBus.inf"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:4612
-
-
C:\Program Files (x86)\WinCDEmu\vmnt64.exe"C:\Program Files (x86)\WinCDEmu\vmnt64" /uacdisable4⤵
- Executes dropped EXE
PID:764
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3664
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4608
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4560
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:5104
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{edfcf1ca-9b31-a844-87fe-c0c0be1c05d9}\bazisvirtualcdbus.inf" "9" "4aa431c33" "0000000000000140" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\wincdemu"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{47f1fce4-cdb4-414c-adfc-9c3b160a5341} Global\{5533a36c-a480-ba4e-b565-d84556ffd138} C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\bazisvirtualcdbus.inf C:\Windows\System32\DriverStore\Temp\{0e786fbb-3811-994e-8bec-49c10a498108}\BazisVirtualCDBus.cat3⤵PID:4440
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SCSIADAPTER\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:6a548da5cccf6fa4:BazisVirtualCDBus_Device:3.60.1.0:root\bazisvirtualcdbus," "4aa431c33" "0000000000000140"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1108
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD541fed341a7c79bfd95db845a0cf9cf27
SHA1cc8f836a2987edce7fb77a77267178205b146edf
SHA256abd1fd96ec8def13f1d77241f10e7315cbfbd9b1d29649a6b7aa379a46a9eb61
SHA512db37fda70519b0b5081253d1e277fbac37fac3b457510f0786ed63836c5af35bf647f2f05ee6b8208c62bbaba42e6d6956ae8069aeca21f276432a2510fe9fc8
-
Filesize
3KB
MD5389aa0269e95b9a9cebaa57c31ea1618
SHA1e837dd05174a4606da71ec59b583c168825e2726
SHA2560b6449ff22eebf793d87ce210c17ad2f0be0730978a930af1be7221665e50513
SHA51272dfaf3ff8521b78a3c870ab790a0455a6286048970c54666c53332b62d7f76b58efd384107e961af56e0e1fafd602a84bb32c84052f6110d5a7aacd4d878797
-
Filesize
3KB
MD5f7db68fd480e66a6651dde986665145b
SHA1f0d738f1756a30fe6375f31bc138770d136e9de4
SHA2566113abed36ea37ca37c15522e8b58074a4174facdb644023a10674485304ade2
SHA512020a77203c99168e222e69ade2fa4acd45453b789494af75b78b2608995f56561e213ee6cfbf2a6f37de97378bbbb91091263a8d2ca1451faa99aa5b1b7e0617
-
Filesize
7KB
MD5fc4e41aafda8e25a02e5a49b16370e1e
SHA1c320b6abb613506e59084eea559b58b073f8d193
SHA256079acfa7b0fefd3b3a9eb3dee4ac167f8859da9d90646e5ee2dc67e4f145022f
SHA512ac4a62a70cbd26dfb81f43f83aca5e3984de15f985784efa79fe1ee26b8b103c889d5c22feca880466b00ebd8b161246651bc74127cc8e5e896199e290e5ea9d
-
Filesize
8KB
MD5967bc885f19eb2ca9e036b9367a7392c
SHA1f475436dc03f06d82ea1cb5d25b75650c5d4c1d4
SHA2569c2e62d42e0ac165c79c0ffec1c90111a36f4f34fe565a1991659fd8f256fe42
SHA512beb26660a4138e2bb6bdd564c78f9d7c1206170812d62820abc5493a0f5c4f75588aae9a84e5b3d432a8d9158fb9ff70a11101646bf708f28667064638135e15
-
Filesize
8KB
MD5b152548b47c0efec3d22d557e1725096
SHA1ea855a162866318a557b09302abe46276ee212c8
SHA25615274e12fdd6477f96fceb50ef5f4cb26e05caf7ea7ed718f071eb924b4ab501
SHA512044a76b0cfc45ddd0255075f0506a51a6fa4c45d02d6085ea0261b887182cae8257d700cb744be51a2ab8596baa8aad073edd949dba1aab5b6ac069636945e31
-
Filesize
8KB
MD5952f775c04717b955046ce3c6b55cc9a
SHA1b3550018888e46acc7d14477488d40d21ebc8097
SHA256d45be192d827215f107d1bb6ca029ca1462d657c6acd570e8689ad50627ca7e8
SHA512df5660a47b69add25b1f73b70b2b78c348ebdbd10354b33168037ed64a3c7e8ec296390b61cd35d614018e873e3610d722ad45029fcf58c8b8a867f422398363
-
Filesize
8KB
MD521afb272b5164db42bdb7591df971b2e
SHA14d67e5b572eb046cdab11e27767e461f3b017e31
SHA256b993485e590622d124c36de9955789542a87c4712c1583f0f016fd53fdfdbc91
SHA5128d30f0c1a44fd36b6b9917ee57770c1e4d77db6dd0ca529344b180d8d2a56cd584570135d57f4b7f1ad33549873d33a6d94cd670b6f1ecb6c47e2344b6232d22
-
Filesize
9KB
MD51c74eb9bf2f9fbe1949a6bfaa0497e28
SHA1dbf92890b79070efc332e46df9ef320c4673ef29
SHA2568f7e082d879ec597654879d595f3da167ca41365b57efb69d22d7d34a1eab83c
SHA512ca987f57bfc276797da2e4c67481d14936463a2a79fe07c844f220434bff021f2c6ab493206425852c0183f83216c6ce745aaf6cce2f972bba17954a4aa7b1c9
-
Filesize
8KB
MD5ffca959029f8e28c160535ea7b38ee64
SHA1746a280574bf225fd17b20f38bde268a9ac982bd
SHA256d2328f3de2bad05251bc8d496afa1eb619a5351fd93485c612d8c8de26fdf395
SHA512385a0f7bc9bef8f805aef37de0ffea3df86e420b218219b59cd70046eb9cf830535b1c51a5430d6703bee3a802cd5a3399da0bff35027216becdc48911a6ab51
-
Filesize
3KB
MD53998b4f6e32abae26d71d8937f38ff59
SHA1a32f9a06899e1f9b219340424124096b6e319818
SHA256f98cac8c9ac4035f27e6d7d5b33467933bf4754c44c2f5cde7ea4959d0898c25
SHA512bb3b8a07f74f7fe6df6c45c5419beb760148149026713e670d5ababdd3f69773aefabf41e84a4c72b5ef3a5517804cf3fed51c511e58eef377a95f7663559a6c
-
Filesize
2KB
MD529d6e5181d9e3d1bcad83664c12b8185
SHA165e5bb3b51a6071ad0dbd40accfedf3ce6b2c621
SHA25684d7be0472bb27389ce21183f1aeea56dbc18bf0d65c19505e1b5c11a136a575
SHA51231f385b94efabc9b23ed52118d7aeea5c5c046f295b61f59415ab6f8f3ecde0339f358255a932bd500af77a93d20636dd862aeff06876726bb5b5d1b65a478ff
-
Filesize
6KB
MD577a765efbe6aafa7b06827bbd5640891
SHA12b06df23c69e4fd603159ec67c5e1c6be3c7a754
SHA25658719aec46fce1329472096c2891ce91418b6fd0461b0754b7dfb2aeb338784d
SHA512e81bc33d33396a4f38df8228afe06ebfe510176e4808f02337db7bf6f263403668789840acd34f72adbadce686bf99d514580f0d2f5fabac69d576a5b4aa8e81
-
Filesize
2KB
MD57d1604fd2688471758b2e8fc31726828
SHA12983a67d17d7e3d0b5165ae87c0608a2f80b8d3d
SHA25692eb2867b681b25c3e5ab669d4228089a55fb61b1817e96c2bba8d2b2762b92f
SHA512afcf5aa77147b08c5bb039afc7239814a96dd8e013838e6f5b5286dbb0d533e4dcb04e3f0cc106802b3faeb60e2529c865a4557e2e26d7957f4b0661bf5f25e2
-
Filesize
8KB
MD5e87826e3ed5c16da3284d7930d419251
SHA14843ff853581e67f80736e71cb46dc05d7002596
SHA2561ae9195876886ac68d1d6ea2c5d7d3c4d8e28accf97327b7c684542d176d4213
SHA512c70dded68e9e1cdfe7876449709bbe23d88ca7bfbbcfc82ec5895b590673e6a3139747f48baa7ea23d7c01e967915efe30bb3abea9f973ce9d6f8ef0bd4f7ef3
-
Filesize
3KB
MD50f3d94b4c7365a4f05a763a114215257
SHA1f6ccc79f3c589c55503f738494f37c730fbde2eb
SHA25627a6762c9e3ba1f505e2841ce728785919283bf6a97847894c3dba08e546160e
SHA512f03ee9a6a38674e8f208f38b066b9fee9cee998d4c22f98ecebf9d48c74616a545d945dd1a7eebe5e828a7fe17ba09c294236b95da9bf049eef2748cc7c51c25
-
Filesize
3KB
MD5249e286070a088c637b92627d72b5975
SHA1a9feff0fb0c153a8ff241178b5bf55c72ab54335
SHA256dffa8c29b338adb870144cbb75766beb48806188b8eb4c5849efdaf1f6ed6bb1
SHA512cbaf8a6cb7d9f393cd7667ad51084a9d12ed1c49d7410e1f334a9b5da8cc31f8063b55cc768bae29c0dbbddd6571dc8884b1b889aeea7982681a027ad163e065
-
Filesize
9KB
MD51b422ca49ee6887c45ab20185ceb8e12
SHA14b12d3f80bc7ac6e30aabe81946d5457a37687b5
SHA2566744adad5536f7823bfccf320807e0d29550102a6a2f350cdbeb39d9f9ef675e
SHA5121da4e0dc50922077465efdebe88b02140b5c1dd89421de07d9db6569ac5cb558cb1ae1c9d8e385de707fe400adf912c02996bd3859bb9f633a11c9287a89893b
-
Filesize
8KB
MD505e875a13ab0424d01699d02289c9420
SHA1341bca8effbab74434f19ba87575e469fe08b1bb
SHA2564eaa04b538aa2ee1a90b49ff9171f4e1a111efb51dc70d326883a24dbea6bc7a
SHA5129290767649785cda962306290f2c907a5e283f052a68484dd97e971e94d86dc8be4ba87afc0253b023dc6006b19e306ca87076ad9e3c5f2cb6601b77043c56e0
-
Filesize
9KB
MD57390164f71815a5c4d30f62b0998aeb4
SHA1b0dae805a135100c0fc7c57d903c1de0bddbb938
SHA2568db716ff3cd406a4c717359afdfc97c9d30855f0b8f7f2b3d5a36ffa764094cb
SHA512a0506f9208f75c0954ffbf16aa25a6593077ba6d9183f616db71965f70ad0ac1b59d3dd34502901efcbd8677e439fb74c1aa6d658171d6107ecd5de69c84aca4
-
Filesize
2KB
MD5c9f2bfb0bed3cfd0339a1f0df4320daf
SHA184ce80606c5e5ef7984f25fce3610105e6461337
SHA2560974d05713d0f096c7680476b37a6a8ecc3c4fe620be67f1b3369a6601d7f87e
SHA5121e9fe2d5628a827205046ea8bd247036447d307811d0854218fa5be9da30780aa1522f25a11770f5d2be52609e65ee4419339ca5f76db903fbc601335885380d
-
Filesize
7KB
MD5f8ab77e490cd4cffc863ca4053039ef7
SHA1c2a4bef57cea9025bf25dc587524585462056e44
SHA2565b39aa92f062332ea1dc0d9f495d2662b2f9dc82334aa8cb973d8e40838e9bd1
SHA5129c25bda06ca6c8ea36a4ace562364a66d7a480b730df40c1b36a8eb9b639974ddcaf06c2a346e6498a15ced411005c4cb76469155ff18a568332e65da2ce9260
-
Filesize
6KB
MD540789c69c026f2100f86e2b1a7b7a7a8
SHA19d1d8c3530fad5648edf9a08c2d6e82d26e5cb45
SHA25611308a9c7fcac27ca6685c06a3bb0f743411e84306159c1a2ccde1e5f7379f12
SHA512509ca5820b5a21285e9874455640807adff9e049973e6af2c3fea406423bcf2b100f9b52150ed6447f699151593fe389740cacddb066499c6366448b1ac71243
-
Filesize
3KB
MD5f4c9f78ea2d59c281d78d89f455d2328
SHA1849508bef20e90d737372a04116c98ce25496bfd
SHA256cba9899af4db048a7aac5f3f7064e8e43e7c0edd0e46c89ebd9ab407ceeb3622
SHA5129009be7a2ede390b2c0c7cd714331a5627fc4cf57ca59ddfcbacd32c64b33abf03d59546453182eb7eb0663e09b425109ea77051d1b7bfb8114d2bc7c849d8d0
-
Filesize
123KB
MD51ac73ca77d66e0dd0382c0536c1c7fd9
SHA1457484d6909f928bbfc1a53731aab036927e1874
SHA2561d2d4cb61cd814e484f952611451d699acdb96056b12de03f5766d266c8e3d98
SHA512868cd3e343d43163028921c54a75970282af7a258b003a7eda031cd1b7132565bbfda6fdce40d44de1c49113454cb28b5c5c7984f9bc594ab351f342c52d1bee
-
Filesize
437KB
MD5784d664b5fd7dcbc9105b5d60bb80f20
SHA16d3565dea5ffb79d95df1c083f03b14b647620cc
SHA25643dbbb61108fdf117e3b13bb13e5ae8475fcc11faa4aa51f8d5b52a3f654d82f
SHA512f6a92a608f8e92d05b9eac5367107a8a15ba305ca9c0fd2810211ac5352c0ad59e926aa41a1c5b120a40139f7e238cd0c4d7308c709dfe0a300ee74a3fe7ce24
-
Filesize
102KB
MD5b2979c8af8c546fc0065a80dd8602089
SHA1473c2a59d8260e9cb25b14ce47928d725bd6e7b9
SHA2564b38db92b2f5897cafeca48d57c12c129398eaf6f544cfd7aa70d1d45002406f
SHA51275bb9c31adbf82b86aa84e732d2a2ac0196a779c64d4089ead2307de16b9262bf685a9b71333c0044efeda7c62e94e8d6894477fe5c732d2883b40664320bdb3
-
Filesize
42KB
MD5a211e060f81ed1eb0ba1f9385951a180
SHA16f9c498157f7d1b0248f8d29c91bf2d6c6fc4cbb
SHA256926792857c9ef687e31f8b7c5c82da02ca3d8f7d3aafb57ccad71470cc26b449
SHA512307438d32af98ddce926c62a46a6cd5ab4fb46ae3fd5a75b0870abedd944bb46be0cf3c9d079d0f36d172eeb7b73076913561cd76e5b46ce47f8b602cd2c1988
-
Filesize
198KB
MD5aa3e23b67a2699347c6b37dbd74fdbbc
SHA1d0d8a0ce21eaa9c850cf7fdc1682bd62d0a3a385
SHA256fdab6e9ae6fee2939fc90f906a464b95242bb9e1e1bb86edb8250584493725f1
SHA512cb554a2edad0581619bc2e6975f30049a88b91adb16d07c5fe434aaff99cb67d975425d0badec611f4975d993b12a1e576b892bab499f58e90f4c83e5f0e23b9
-
Filesize
89KB
MD539c4f2f3c0e831965c5bf33a9dea672e
SHA174b065384202c571404d37182fec54371fc5d90b
SHA25668caa18306b44bb518bca8156b4b806cd968adce6b345546ba1a8f5802c7f680
SHA51254c0e4c8fa2c44a01f0613307ced97eed827e5d92b0b442d70ded642d80e4e1a8c2e279b2f51adb8461b918672d85ec1b055e43bdbf1cbd9d20276241388a126
-
Filesize
43KB
MD5fa657c4ea76fdc70e996b96301a9214d
SHA199587f99be4739178523e2e15bd27ed947fef49e
SHA25651d27cb14c609884908673c89d83cfbafc5a24e390f65de2c29daf16b4fc2988
SHA5124f51484019b5d028096f620b2a2888554c2b1ac76b475c626e083d61235a0c035639ab3a03c35e98fad3d13cd8f46b385fffd5a8ed99a01eb6e2632e7d94544d
-
Filesize
166KB
MD561a72ca3427fefeffe1508f132b6757b
SHA1368d7eabaacfe1efb7350cd1705076fbb26b936d
SHA2566efcbe2bdb183b60602e71df4ab8566fd79224831c508f33ff52bfb27ba7704c
SHA5126ad0f6999eb3c90c3785a0ecb9040d29c34c699ff99cf99dc1c586bc49ee3e74da1f1d880d809285f5b436801e42add1a3d65a79c0c4fffa279125a92f9b9675
-
Filesize
812KB
MD5b88b3fb326acf9d6882c9901d297d6a1
SHA1ab69a293680948da9bc865d29becb02bad5b2d94
SHA2561b7b29308b5a17c7d94486f53c441752663d77d90294f005d06f1bb101e1e5a6
SHA512c62f6c11e098d813bf65587db387873695029bc130a21101581bf0f3ac352f5373d6008cfaf8d0e5adf90d035843e379f19f78de072c4392b64a2ac0a658353e
-
Filesize
6KB
MD5731a3ce577b0a406723b4405fb4cd2f1
SHA1c7f8e61d894f7934df428bbc7c19ede847169997
SHA2567a0a25ab8a255739ec21fe2acf6fa0809ac313460e09d10688ed84fcf296da72
SHA512894af9917cefce119c63bd67eb46df391ad753de7d4a40f6d0e34d2fedb0d915b8b0bf48f43a7e696de8e7ed5303e0d928e143006fdb869964b5838bf95c7019
-
Filesize
193KB
MD5326e77ea6e9bf27c7cd2837d65db96c7
SHA17767a5994fca1e79a2a449e1d8fdbd32c23bc88b
SHA256bdadecefff828be1f77809788b1219b55f0c46bc83b17a62039c5ef71a657528
SHA512143909e22271a5e039bea69cbec63bfaf0d2c3e253d7307240c1ffab90a28a4355ad69fbf458446e81164e95697897569088294181d8f7fe79f31942b247ad03
-
Filesize
9KB
MD513c2c7b5792b197c42af86e38b133044
SHA18a967a9b631ec6bbd4d1e10bc7832c752932a9dc
SHA25656d67f29f5654f2cce85cefe777e12b503fb9e109ad029854dc4f478db3dc7e7
SHA512540ab05706bb4a135dec307dfa7c04e9d85e3cd154e469321c7bf362ffd5b52d63d95221176a774db99aa730dd867f2a8df8442822acb6e7228f8f39e86fb10e