Edit tour

Windows Analysis Report
CH341SER.EXE

Overview

General Information

Sample name:	CH341SER.EXE
Analysis ID:	1358850
MD5:	1af3fdebfbab3e247feb588aea64dd64
SHA1:	d557a8978877199bafe2e7baac63adab17bed05d
SHA256:	9cf96fddf474eda80f2b4c09f8ef19443cf6768429819e4cba7b869291b7b8b5
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Sample is not signed and drops a device driver

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables driver privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Process Tree

System is w10x64_ra

CH341SER.EXE (PID: 4540 cmdline: C:\Users\user\Desktop\CH341SER.EXE MD5: 1AF3FDEBFBAB3E247FEB588AEA64DD64)

SETUP.EXE (PID: 3304 cmdline: "C:\WCH.CN\CH341SER\SETUP.EXE" MD5: 181F68547D52360FC142AC3ADC2436B7)

DRVSETUP64.exe (PID: 6476 cmdline: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE MD5: 1FE688688C2082B37827DB54C4282AF0)

drvinst.exe (PID: 2200 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\CH341SER.INF" "9" "4dbd0d02f" "0000000000000168" "WinSta0\Default" "000000000000014C" "208" "C:\WCH.CN\CH341SER" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: CH341SER.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: e:\project\ch341\winser34\i386\CH341SER.pdb source: CH341SER.SYS.1.dr, OLDBD9C.tmp.9.dr, SETBE0D.tmp.9.dr, OLDBDEC.tmp.9.dr, SETBE7D.tmp.9.dr, OLDBE5C.tmp.9.dr, SETBD6D.tmp.9.dr, SETBDAE.tmp.9.dr
Source:	Binary string: e:\project\ch341\winser34\amd64\amd64\CH341S64.pdb source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047A1000.00000004.00000020.00020000.00000000.sdmp, DRVSETUP64.exe, 00000009.00000003.2043551695.000000000060B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000010.00000003.1949672064.00000296A94D5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000010.00000003.1935631815.00000296A941A000.00000004.00000020.00020000.00000000.sdmp, SET920A.tmp.16.dr, SET8A49.tmp.9.dr, CH341S64.SYS.1.dr
Source:	Binary string: _std_v168_150929\objfre_wnet_AMD64\amd64\DRVSETUP64.pdb source: DRVSETUP64.exe, 00000009.00000000.1274218246.0000000001001000.00000020.00000001.01000000.00000008.sdmp, DRVSETUP64.exe.1.dr
Source:	Binary string: _std_v168_150929\objfre_wnet_AMD64\amd64\DRVSETUP64.pdbL source: DRVSETUP64.exe, 00000009.00000000.1274218246.0000000001001000.00000020.00000001.01000000.00000008.sdmp, DRVSETUP64.exe.1.dr

Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DRVSETUP64.exe.1.dr	String found in binary or memory: http://wch.cn
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET891F.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET90CF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\ch341SER.CAT	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\CH341SER.EXE

File created: C:\WCH.CN\CH341SER\CH341S98.SYS

Jump to behavior

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

File created: C:\Windows\System32\Drivers\SETBD6D.tmp

Jump to behavior

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

File created: C:\Windows\System32\Drivers\SETBD6D.tmp

Jump to behavior

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

File deleted: C:\Windows\System32\drivers\SETBD6D.tmp

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\WCH.CN\CH341SER\CH341S64.SYS DE6CA1AE927081AC622F99AB9C77B2127CBB2DF597B4123A4AA2F3DA52CD64D5

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

Process token adjusted: Load Driver

Jump to behavior

Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCH341SER: vs CH341SER.EXE
Source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSETUP.EXE vs CH341SER.EXE

Source: CH341SER.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: CH341S64.SYS.1.dr	Binary string: \Device\Serial
Source: SETBDAE.tmp.9.dr	Binary string: \Device\Serial\Device\SerialPortNameCOM\DosDevices\
Source: SETBF5D.tmp.9.dr	Binary string: \Device\USBSERPORT0

Source: classification engine

Classification label: sus29.winEXE@6/39@0/0

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

File created: C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}

Jump to behavior

Source: CH341SER.EXE

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CH341SER.EXE

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\CH341SER.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\CH341SER.EXE

File read: C:\Users\user\Desktop\CH341SER.EXE

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CH341SER.EXE C:\Users\user\Desktop\CH341SER.EXE
Source: C:\Users\user\Desktop\CH341SER.EXE	Process created: C:\WCH.CN\CH341SER\SETUP.EXE "C:\WCH.CN\CH341SER\SETUP.EXE"
Source: C:\WCH.CN\CH341SER\SETUP.EXE	Process created: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\CH341SER.INF" "9" "4dbd0d02f" "0000000000000168" "WinSta0\Default" "000000000000014C" "208" "C:\WCH.CN\CH341SER"
Source: C:\Users\user\Desktop\CH341SER.EXE	Process created: C:\WCH.CN\CH341SER\SETUP.EXE "C:\WCH.CN\CH341SER\SETUP.EXE"	Jump to behavior
Source: C:\WCH.CN\CH341SER\SETUP.EXE	Process created: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE	Jump to behavior

Source: C:\Users\user\Desktop\CH341SER.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CH341SER.EXE

Window found: window name: RichEdit

Jump to behavior

Source: C:\Users\user\Desktop\CH341SER.EXE

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: e:\project\ch341\winser34\i386\CH341SER.pdb source: CH341SER.SYS.1.dr, OLDBD9C.tmp.9.dr, SETBE0D.tmp.9.dr, OLDBDEC.tmp.9.dr, SETBE7D.tmp.9.dr, OLDBE5C.tmp.9.dr, SETBD6D.tmp.9.dr, SETBDAE.tmp.9.dr
Source:	Binary string: e:\project\ch341\winser34\amd64\amd64\CH341S64.pdb source: CH341SER.EXE, 00000001.00000003.1269461917.00000000047A1000.00000004.00000020.00020000.00000000.sdmp, DRVSETUP64.exe, 00000009.00000003.2043551695.000000000060B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000010.00000003.1949672064.00000296A94D5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000010.00000003.1935631815.00000296A941A000.00000004.00000020.00020000.00000000.sdmp, SET920A.tmp.16.dr, SET8A49.tmp.9.dr, CH341S64.SYS.1.dr
Source:	Binary string: _std_v168_150929\objfre_wnet_AMD64\amd64\DRVSETUP64.pdb source: DRVSETUP64.exe, 00000009.00000000.1274218246.0000000001001000.00000020.00000001.01000000.00000008.sdmp, DRVSETUP64.exe.1.dr
Source:	Binary string: _std_v168_150929\objfre_wnet_AMD64\amd64\DRVSETUP64.pdbL source: DRVSETUP64.exe, 00000009.00000000.1274218246.0000000001001000.00000020.00000001.01000000.00000008.sdmp, DRVSETUP64.exe.1.dr

Source: C:\Users\user\Desktop\CH341SER.EXE

File created: C:\WCH.CN\CH341SER\__tmp_rar_sfx_access_check_5017109

Jump to behavior

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341S98.SYS	Jump to behavior
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341SER.SYS	Jump to behavior
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341S64.SYS	Jump to behavior

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBE8B.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBDBC.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBDBE.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET920A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341S98.SYS	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBDEC.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBDAE.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBE1C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBF1B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\SETUP.EXE	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBF48.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBD9C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBF4C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBF1C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341SER.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341PT.DLL	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBD7E.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBE9D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341SER.VXD	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBE2E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CH341SER.EXE	File created: C:\WCH.CN\CH341SER\CH341S64.SYS	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBE0D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBF59.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBD6D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBE5C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBE7D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBF5D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET8A49.tmp	Jump to dropped file

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBE8B.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBF1C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBDBC.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBDBE.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET920A.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBD7E.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBE9D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBDEC.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBDAE.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBE2E.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBE0D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBF59.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBE1C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBD6D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBE5C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBF1B.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBF48.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\Temp\OLDBD9C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBE7D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\SETBF4C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	File created: C:\Windows\System32\drivers\SETBF5D.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\CH341SER.EXE

File created: C:\WCH.CN\CH341SER\CH341SER.VXD

Jump to dropped file

Source: C:\Users\user\Desktop\CH341SER.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

Window / User API: threadDelayed 4386

Jump to behavior

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBE8B.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SETBF1C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBDBC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET920A.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\SETBD7E.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\SETBE9D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBDEC.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\SETBE2E.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBF59.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SETBE0D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBE1C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBE5C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SETBD6D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\SETBF1B.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBF48.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLDBD9C.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SETBE7D.tmp	Jump to dropped file
Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET8A49.tmp	Jump to dropped file

Source: C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

Last function: Thread delayed

Source: setupapi.dev.log.9.dr	Binary or memory string: set: BIOS Vendor: VMware, Inc.
Source: setupapi.dev.log.9.dr	Binary or memory string: sig: Key = vmci.inf
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (31ms): Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.9.dr	Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.9.dr	Binary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.9.dr	Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: setupapi.dev.log.9.dr	Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.9.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.9.dr	Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Network Adapter}
Source: setupapi.dev.log.9.dr	Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.2728.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Fibre Channel HBA (not supported)}
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V VMBus Support Channel}
Source: setupapi.dev.log.9.dr	Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (15ms): Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.9.dr	Binary or memory string: set: System Manufacturer: VMware, Inc.
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (16ms): HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.9.dr	Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.9.dr	Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Add Service: vmci}
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (15ms): HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Created new service 'vmci'.
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.9.dr	Binary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Virtual PCI Bus}
Source: setupapi.dev.log.9.dr	Binary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V SCSI Controller}
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (16ms): HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:49 06/10/2023: DONE Adding Catalog File (0ms): HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.3393.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Virtualization Infrastructure Driver}
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Display Name = Microsoft Hyper-V Storage Accelerator
Source: setupapi.dev.log.9.dr	Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.9.dr	Binary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Crashdump Driver}
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Video}
Source: setupapi.dev.log.9.dr	Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.9.dr	Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Accelerated Disk Drive}
Source: setupapi.dev.log.9.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (16ms): Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: Display Name = Microsoft Hyper-V Virtual PCI Bus
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: Microsoft Hyper-V Virtual Machine Bus}
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.3448.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:50 06/10/2023: DONE Adding Catalog File (0ms): Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat
Source: setupapi.dev.log.9.dr	Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.9.dr	Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: dberr.txt.16.dr	Binary or memory string: CatalogDB: 11:48:53 06/10/2023: DONE Adding Catalog File (15ms): Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.2364.cat

Source: C:\Users\user\Desktop\CH341SER.EXE

Process created: C:\WCH.CN\CH341SER\SETUP.EXE "C:\WCH.CN\CH341SER\SETUP.EXE"

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\CH341SER.CAT VolumeInformation

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	4 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	1 LSASS Driver	1 LSASS Driver	1 Software Packing	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	11 Process Injection	11 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://wch.cn	DRVSETUP64.exe.1.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	false		high
http://www.symauth.com/cps0(	CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	false		high
http://www.symauth.com/rpa00	CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	false		high
http://ocsp.thawte.com0	CH341SER.EXE, 00000001.00000003.1269461917.00000000047B5000.00000004.00000020.00020000.00000000.sdmp, SETUP.EXE.1.dr, DRVSETUP64.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1358850
Start date and time:	2023-12-11 19:37:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CH341SER.EXE
Detection:	SUS
Classification:	sus29.winEXE@6/39@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .EXE

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: CH341SER.EXE

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET8A49.tmp	http://dl.elitech.uk.com/ElitechLog%20Windows.exe	Get hash	malicious		Browse
C:\WCH.CN\CH341SER\CH341S64.SYS	http://dl.elitech.uk.com/ElitechLog%20Windows.exe	Get hash	malicious		Browse
C:\WCH.CN\CH341SER\CH341PT.DLL	Logpro-setup-english-64bit.exe	Get hash	malicious	Unknown	Browse
	stc-isp-15xx-v6.85.exe	Get hash	malicious	Unknown	Browse
	stc-isp-15xx-v6.85.exe	Get hash	malicious	Unknown	Browse
	http://dl.elitech.uk.com/ElitechLog%20Windows.exe	Get hash	malicious		Browse

Created / dropped Files

(copy)

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	data
Category:	dropped
Size (bytes):	10466
Entropy (8bit):	6.923809869295835
Encrypted:	false
SSDEEP:	192:enOTMcTZwTT4YTQ0T/TZyqeEymwscpH2vByQlT3G/R8X09+3Ef5KYpBjSA0p2:hVZydrLUH2pzx2KXM+3Ef5dpBjh62
MD5:	715693624013826D337E792ED86376AC
SHA1:	A3AA17C2BAE326ECBD19B4969FD36724299D5ABD
SHA-256:	585FCA8AB9C8A13222760D6BBAB62CE4069D24F73BD304D89C54B5298B9420BD
SHA-512:	47E60A905B0F966DB61688C98CF16005862B5BCE61A47B4C72B090E414D7B0C8EEBA94795BBF100272AE6B1D0A843142902E852D610A528C2629F35E3F59E46F
Malicious:	false
Reputation:	low
Preview:	0.(....H........(.0.(....1.0...+......0.....+.....7......0...0...+.....7.....".f.9.<M.M..$....150206063932Z0...+.....7.....0.. 0....R2.C.6.2.A.C.1.D.4.3.A.B.7.5.F.9.0.E.7.4.C.7.2.8.F.9.6.6.B.D.9.9.6.C.C.2.5.F.C.8...1..W0<..+.....7...1.0,...F.i.l.e........c.h.3.4.1.s.9.8...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........,b..C.u..t.(.f..l._.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0....R6.8.9.7.7.7.B.0.7.F.5.6.A.D.5.C.7.C.0.4.6.9.E.D.5.8.1.7.8.0.E.2.B.8.2.A.2.8.5.2...1..U0:..+.....7...1,0...F.i.l.e........c.h.3.4.1.p.t...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........h.w..V.\\|.i.X...*(R0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0..

C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET891F.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	data
Category:	dropped
Size (bytes):	10466
Entropy (8bit):	6.923809869295835
Encrypted:	false
SSDEEP:	192:enOTMcTZwTT4YTQ0T/TZyqeEymwscpH2vByQlT3G/R8X09+3Ef5KYpBjSA0p2:hVZydrLUH2pzx2KXM+3Ef5dpBjh62
MD5:	715693624013826D337E792ED86376AC
SHA1:	A3AA17C2BAE326ECBD19B4969FD36724299D5ABD
SHA-256:	585FCA8AB9C8A13222760D6BBAB62CE4069D24F73BD304D89C54B5298B9420BD
SHA-512:	47E60A905B0F966DB61688C98CF16005862B5BCE61A47B4C72B090E414D7B0C8EEBA94795BBF100272AE6B1D0A843142902E852D610A528C2629F35E3F59E46F
Malicious:	false
Reputation:	low
Preview:	0.(....H........(.0.(....1.0...+......0.....+.....7......0...0...+.....7.....".f.9.<M.M..$....150206063932Z0...+.....7.....0.. 0....R2.C.6.2.A.C.1.D.4.3.A.B.7.5.F.9.0.E.7.4.C.7.2.8.F.9.6.6.B.D.9.9.6.C.C.2.5.F.C.8...1..W0<..+.....7...1.0,...F.i.l.e........c.h.3.4.1.s.9.8...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........,b..C.u..t.(.f..l._.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0....R6.8.9.7.7.7.B.0.7.F.5.6.A.D.5.C.7.C.0.4.6.9.E.D.5.8.1.7.8.0.E.2.B.8.2.A.2.8.5.2...1..U0:..+.....7...1,0...F.i.l.e........c.h.3.4.1.p.t...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........h.w..V.\\|.i.X...*(R0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0..

C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET89BC.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	6678
Entropy (8bit):	5.864044927333677
Encrypted:	false
SSDEEP:	192:VyiC/xM4geO5ZafiWPty4HhGlFuD4JSXQYQLhQ66Auy:ZC/xM4geO5bY1HhuFuDISXQYQLhQ66fy
MD5:	0ECFFBA87B80F54F7016DA633DD9AB1C
SHA1:	E46668F0267651C248944766291791B0DEF36F1D
SHA-256:	0CBD34F89B0D11B386E07A825FAB531706F86E9DA44DCC536AC7C98A6D22C383
SHA-512:	1738BD22BE834B053CABE91F2F53A2686D2091B29CB3CABA9FD3033FB94108AD2DB42829EDC25F38DAE22BF46AC9BCE2CB5919CBF0B63C88BF7D7B22B2B2CA2D
Malicious:	false
Reputation:	low
Preview:	; CH341SER.INF..; Driver for CH341 (USB=>SERIAL chip) V3.4..; WDM&VXD for Windows 98/Me/2000/XP/Server2003/Vista/64bit Vista/Server2008/Win7/64bit Win7..; Copyright (C) W.ch 2001-2014..;....[Version]..Signature = "$Chicago$"..Class = Ports..ClassGuid = {4D36E978-E325-11CE-BFC1-08002BE10318}..Provider = %WinChipHead%..DriverVer = 08/08/2014, 3.4.2014.08..CatalogFile = CH341SER.CAT....[ControlFlags]..ExcludeFromSelect = USB\VID_1A86&PID_7523..ExcludeFromSelect = USB\VID_1A86&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523&REV_0250..ExcludeFromSelect = USBSERPORT\SER5523..ExcludeFromSelect = CH341PORT\SER5523....[Manufacturer]..%WinChipHead% = WinChipHead,NT,NTamd64,NTia64....[WinChipHead]..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_7523..%CH341ASER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_5523..%CH341SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&PID_5523..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&

C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET8A49.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	5.92773729833597
Encrypted:	false
SSDEEP:	768:Di+r3IRgvQFTOlBg7L2RzlKx3CDjUKZeUSgqg0ACdLgLRHT31mlGdJeB:DvXvQclBgmRzu3wIEefACdsLRH7c5
MD5:	3C0A1B6F538E00F318C109F4A3F29515
SHA1:	8F337186BFDBFF75B11EB510E47C96479FC2327A
SHA-256:	DE6CA1AE927081AC622F99AB9C77B2127CBB2DF597B4123A4AA2F3DA52CD64D5
SHA-512:	1DB105044C6D6A9C671CB730E4A49982D3146DB54E51D6DEC34834144428CDCCD333E3980B4B92EEB3A0CE993EA2B773B47399155EBEB99363BA02B27B166ED8
Malicious:	false
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QK..0%..0%..0%..0$..0%..^..0%..X..0%..H..0%.0?{..0%..]..0%.Rich.0%.........PE..d......T.........."..........*......p........................................@......."......................................................<...P.... ..x.......X............0.......................................................................................text...~........................... ..h.rdata..............................@..H.data...p...........................@....pdata..X...........................@..HINIT................................ ....rsrc...x.... ......................@..B.reloc..<....0......................@..B........................................................................................................................................................................................................................................................

C:\WCH.CN\CH341SER\CH341PT.DLL

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Joe Sandbox View:	Filename: Logpro-setup-english-64bit.exe, Detection: malicious, Browse Filename: stc-isp-15xx-v6.85.exe, Detection: malicious, Browse Filename: stc-isp-15xx-v6.85.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\WCH.CN\CH341SER\CH341S64.SYS

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	5.92773729833597
Encrypted:	false
SSDEEP:	768:Di+r3IRgvQFTOlBg7L2RzlKx3CDjUKZeUSgqg0ACdLgLRHT31mlGdJeB:DvXvQclBgmRzu3wIEefACdsLRH7c5
MD5:	3C0A1B6F538E00F318C109F4A3F29515
SHA1:	8F337186BFDBFF75B11EB510E47C96479FC2327A
SHA-256:	DE6CA1AE927081AC622F99AB9C77B2127CBB2DF597B4123A4AA2F3DA52CD64D5
SHA-512:	1DB105044C6D6A9C671CB730E4A49982D3146DB54E51D6DEC34834144428CDCCD333E3980B4B92EEB3A0CE993EA2B773B47399155EBEB99363BA02B27B166ED8
Malicious:	true
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QK..0%..0%..0%..0$..0%..^..0%..X..0%..H..0%.0?{..0%..]..0%.Rich.0%.........PE..d......T.........."..........*......p........................................@......."......................................................<...P.... ..x.......X............0.......................................................................................text...~........................... ..h.rdata..............................@..H.data...p...........................@....pdata..X...........................@..HINIT................................ ....rsrc...x.... ......................@..B.reloc..<....0......................@..B........................................................................................................................................................................................................................................................

C:\WCH.CN\CH341SER\CH341S98.SYS

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	19680
Entropy (8bit):	6.177213515531636
Encrypted:	false
SSDEEP:	384:3P2ie5TwxdKe9Vk5DT6Im2ULzQFAQOCsznlUt+3x:OiesSVTZm2ULz4A27wx
MD5:	B6F4A83911336E84BEAD8F8905285FAB
SHA1:	983786502F45AFB946F023D73E32A31BC1BBB91D
SHA-256:	0ECD1222627271EA31D3B64796992B6DAF5133D64CC26D43B3873CBE32FD59CB
SHA-512:	93E949EA7CF067E1CEC52F6DDE8678FC7BCEB2E947164040A087FDD63E799CC244EB6974323FC836F70AE777A67E9660F4E9E2DBB42DC0C4B099B1C2BE168964
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4.Y.Z.Y.Z.Y.Z.Y.[...Z...I.Z.Z...I.X.Z...\.X.Z.Y.Z.\.Z.RichY.Z.................PE..L....`nF...........#.....>..........X=.......;...... ... ...................@I......{-...............................<..U...X>..<....C..`...................`F..\|...p...8............................................................................text....9...... 9.................. ..h.data........;.......;..............@....edata..U....<..`....<..............@..@INIT........@=......@=.............. ....rsrc...`....C..`....C..............@..B.reloc......`F......`F..............@..B.........B...B......f?...?...?...?...?...?...?...@...@..6@..R@..n@..\|@...@...@...@...@..X?...A...A..&A..<A..NA..^A..vA...A...A...A...A...A...B...B..4B..JB..fB..F?...@..<?...................`nF................@I.......`nF................PJ.......`nF.................b..................>0.s.E=s;8\F.O../J?.

C:\WCH.CN\CH341SER\CH341SER.INF

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	6678
Entropy (8bit):	5.864044927333677
Encrypted:	false
SSDEEP:	192:VyiC/xM4geO5ZafiWPty4HhGlFuD4JSXQYQLhQ66Auy:ZC/xM4geO5bY1HhuFuDISXQYQLhQ66fy
MD5:	0ECFFBA87B80F54F7016DA633DD9AB1C
SHA1:	E46668F0267651C248944766291791B0DEF36F1D
SHA-256:	0CBD34F89B0D11B386E07A825FAB531706F86E9DA44DCC536AC7C98A6D22C383
SHA-512:	1738BD22BE834B053CABE91F2F53A2686D2091B29CB3CABA9FD3033FB94108AD2DB42829EDC25F38DAE22BF46AC9BCE2CB5919CBF0B63C88BF7D7B22B2B2CA2D
Malicious:	false
Preview:	; CH341SER.INF..; Driver for CH341 (USB=>SERIAL chip) V3.4..; WDM&VXD for Windows 98/Me/2000/XP/Server2003/Vista/64bit Vista/Server2008/Win7/64bit Win7..; Copyright (C) W.ch 2001-2014..;....[Version]..Signature = "$Chicago$"..Class = Ports..ClassGuid = {4D36E978-E325-11CE-BFC1-08002BE10318}..Provider = %WinChipHead%..DriverVer = 08/08/2014, 3.4.2014.08..CatalogFile = CH341SER.CAT....[ControlFlags]..ExcludeFromSelect = USB\VID_1A86&PID_7523..ExcludeFromSelect = USB\VID_1A86&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523&REV_0250..ExcludeFromSelect = USBSERPORT\SER5523..ExcludeFromSelect = CH341PORT\SER5523....[Manufacturer]..%WinChipHead% = WinChipHead,NT,NTamd64,NTia64....[WinChipHead]..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_7523..%CH341ASER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_5523..%CH341SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&PID_5523..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&

C:\WCH.CN\CH341SER\CH341SER.SYS

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	true
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\WCH.CN\CH341SER\CH341SER.VXD

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	MS-DOS executable, LE executable for MS Windows (VxD)
Category:	dropped
Size (bytes):	20089
Entropy (8bit):	5.450760869632819
Encrypted:	false
SSDEEP:	384:GzXpHVPakjq16uZuDxqLOvCxXEAjT90DVBAMBTaU:05Hr+EGlXbT9uAQGU
MD5:	BE7438420F1DA854917F58CAD557476D
SHA1:	CAF1095963459AB66326CDC7ECAB29514938748F
SHA-256:	2A946F316EDD7E1185DEEAFDC2DE52B2D2843198BE098A724233C12F9CCD0DAE
SHA-512:	E35442704374A3B5E79BAD491F819AC82CE3054ED50AE1EEF0FC3ACBB6D3016BDBCDD63902236E247CB4B8279FF8FEC377AFA2753EBDBCA911D6D388D23A63DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.A.U.A.U.A.U.G._.E.U.G.^.D.U.A.U.\.U.RichA.U.........................LE......................................................................................p...\|...................u.......u................L..%............................................L..........D:......E ..........LCOD......... ..........ICOD.............................................................................................................................CH341SER........\........................"..."..."..."..."...)...a...a...v...v...v...............`.......C.......:...............!...D...e...e...o.....t...0..P..p$..L..`$..H.. $..D..0!..@... ..<... '....24.....0......,......(..@.'....2 .$........................P.........................................P...... ......0.............@...........................P...... ......@......P........'.......X......`.'....1l.8.\.`.d.h.l.p.x.

C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47040
Entropy (8bit):	6.257045960783428
Encrypted:	false
SSDEEP:	768:Km0g8/JV5NDAGcN37MpHdMon5f/D1yM4E9obXDC8TvmS+geyX8K:7ydNUG1as5DerDJmS+aX8K
MD5:	1FE688688C2082B37827DB54C4282AF0
SHA1:	D6DC4F97A61A9F1919CBBD7CC52C7BB59B0291FB
SHA-256:	A5A07EE7B5195497BE4796845CB05B38618DAAF2AF98884B29EEAD6D073353B8
SHA-512:	5D2A93EA1C47F1D9623CDDF57F4F7961C9B78258BDEEEC5CB62A461853BE6B7B47C20617DE300366E60BB4146B6A283A8CA7694FEE3EE8AFB90E72875841272B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........)MT.G.T.G.T.G.T.F.$.G."w<._.G."w:.V.G."w*.Y.G."w).V.G.....U.G."w?.U.G.RichT.G.........PE..d....\0V..........#..................z....................................... ......h................ ..........................................x.......x.......l.......................................................................p............................text...d........................... ..`.data...._..........................@....pdata..l...........................@..@.rsrc...x...........................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\WCH.CN\CH341SER\SETUP.EXE

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	100288
Entropy (8bit):	5.70137381151815
Encrypted:	false
SSDEEP:	1536:kkemXlWr2vWvTSQUbnShitoodAO7i9eoneAGXH:kkbv9fUILAOOUoneAiH
MD5:	181F68547D52360FC142AC3ADC2436B7
SHA1:	8D5EAC850374E4FAF2BAC2E439D1E02D2D2C704B
SHA-256:	A8F306D5BA1A23F587283FD410313F50AC1AC5CE1268938B065130A0DC84C658
SHA-512:	1EE8FDB1692061482A0FCC6030ECE500FA7473586FFFE6EB3836B3D3D54BED4CB4FE443DE8173D252E5D206EABEE6E363C387366B159AE29859C77BBFE5CEE4E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3.p.R.#.R.#.R.#!M.#.R.#.R.#.R.#.t.#.R.#zN.#.R.#.t.#.R.#.M.#.R.#.R.#qR.#.M.#.R.#>T.#.R.#Rich.R.#........PE..L....>0V.............................S............@..................................Y......................................`...x.......l............p...............................................................................................text............................... ..`.rdata..~........ ..................@..@.data............P..................@....rsrc...l........ ...P..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\WCH.CN\CH341SER\ch341SER.CAT

Download File

Process:	C:\Users\user\Desktop\CH341SER.EXE
File Type:	data
Category:	dropped
Size (bytes):	10466
Entropy (8bit):	6.923809869295835
Encrypted:	false
SSDEEP:	192:enOTMcTZwTT4YTQ0T/TZyqeEymwscpH2vByQlT3G/R8X09+3Ef5KYpBjSA0p2:hVZydrLUH2pzx2KXM+3Ef5dpBjh62
MD5:	715693624013826D337E792ED86376AC
SHA1:	A3AA17C2BAE326ECBD19B4969FD36724299D5ABD
SHA-256:	585FCA8AB9C8A13222760D6BBAB62CE4069D24F73BD304D89C54B5298B9420BD
SHA-512:	47E60A905B0F966DB61688C98CF16005862B5BCE61A47B4C72B090E414D7B0C8EEBA94795BBF100272AE6B1D0A843142902E852D610A528C2629F35E3F59E46F
Malicious:	false
Preview:	0.(....H........(.0.(....1.0...+......0.....+.....7......0...0...+.....7.....".f.9.<M.M..$....150206063932Z0...+.....7.....0.. 0....R2.C.6.2.A.C.1.D.4.3.A.B.7.5.F.9.0.E.7.4.C.7.2.8.F.9.6.6.B.D.9.9.6.C.C.2.5.F.C.8...1..W0<..+.....7...1.0,...F.i.l.e........c.h.3.4.1.s.9.8...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........,b..C.u..t.(.f..l._.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0....R6.8.9.7.7.7.B.0.7.F.5.6.A.D.5.C.7.C.0.4.6.9.E.D.5.8.1.7.8.0.E.2.B.8.2.A.2.8.5.2...1..U0:..+.....7...1,0...F.i.l.e........c.h.3.4.1.p.t...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........h.w..V.\\|.i.X...*(R0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0..

C:\Windows\INF\oem4.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	6678
Entropy (8bit):	5.864044927333677
Encrypted:	false
SSDEEP:	192:VyiC/xM4geO5ZafiWPty4HhGlFuD4JSXQYQLhQ66Auy:ZC/xM4geO5bY1HhuFuDISXQYQLhQ66fy
MD5:	0ECFFBA87B80F54F7016DA633DD9AB1C
SHA1:	E46668F0267651C248944766291791B0DEF36F1D
SHA-256:	0CBD34F89B0D11B386E07A825FAB531706F86E9DA44DCC536AC7C98A6D22C383
SHA-512:	1738BD22BE834B053CABE91F2F53A2686D2091B29CB3CABA9FD3033FB94108AD2DB42829EDC25F38DAE22BF46AC9BCE2CB5919CBF0B63C88BF7D7B22B2B2CA2D
Malicious:	false
Preview:	; CH341SER.INF..; Driver for CH341 (USB=>SERIAL chip) V3.4..; WDM&VXD for Windows 98/Me/2000/XP/Server2003/Vista/64bit Vista/Server2008/Win7/64bit Win7..; Copyright (C) W.ch 2001-2014..;....[Version]..Signature = "$Chicago$"..Class = Ports..ClassGuid = {4D36E978-E325-11CE-BFC1-08002BE10318}..Provider = %WinChipHead%..DriverVer = 08/08/2014, 3.4.2014.08..CatalogFile = CH341SER.CAT....[ControlFlags]..ExcludeFromSelect = USB\VID_1A86&PID_7523..ExcludeFromSelect = USB\VID_1A86&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523&REV_0250..ExcludeFromSelect = USBSERPORT\SER5523..ExcludeFromSelect = CH341PORT\SER5523....[Manufacturer]..%WinChipHead% = WinChipHead,NT,NTamd64,NTia64....[WinChipHead]..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_7523..%CH341ASER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_5523..%CH341SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&PID_5523..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	2499971
Entropy (8bit):	5.22097471360513
Encrypted:	false
SSDEEP:	12288:O+5cge9m9jVuWs22GZRvV3V6hcGZ0s2NZL:sGZRqcGZe
MD5:	E0F076664C75CF35C219C19A3391736E
SHA1:	C67B143C8E1C3C2BDA23F90BFD9533AEAC79BEF4
SHA-256:	342B93F4DD00C5022CF1D6BF515AF978506BC1B9C2066EC346337050C325ADC8
SHA-512:	4EB2F88B1D021BB3213C69B16AC92F81D4AB729485333EEE15C3A084738BD5685091F90C6230D089CA01FDD25C32A81ABBEDAD533491BE2DD78AE3B80DF7832A
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET90CF.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	10466
Entropy (8bit):	6.923809869295835
Encrypted:	false
SSDEEP:	192:enOTMcTZwTT4YTQ0T/TZyqeEymwscpH2vByQlT3G/R8X09+3Ef5KYpBjSA0p2:hVZydrLUH2pzx2KXM+3Ef5dpBjh62
MD5:	715693624013826D337E792ED86376AC
SHA1:	A3AA17C2BAE326ECBD19B4969FD36724299D5ABD
SHA-256:	585FCA8AB9C8A13222760D6BBAB62CE4069D24F73BD304D89C54B5298B9420BD
SHA-512:	47E60A905B0F966DB61688C98CF16005862B5BCE61A47B4C72B090E414D7B0C8EEBA94795BBF100272AE6B1D0A843142902E852D610A528C2629F35E3F59E46F
Malicious:	false
Preview:	0.(....H........(.0.(....1.0...+......0.....+.....7......0...0...+.....7.....".f.9.<M.M..$....150206063932Z0...+.....7.....0.. 0....R2.C.6.2.A.C.1.D.4.3.A.B.7.5.F.9.0.E.7.4.C.7.2.8.F.9.6.6.B.D.9.9.6.C.C.2.5.F.C.8...1..W0<..+.....7...1.0,...F.i.l.e........c.h.3.4.1.s.9.8...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........,b..C.u..t.(.f..l._.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0....R6.8.9.7.7.7.B.0.7.F.5.6.A.D.5.C.7.C.0.4.6.9.E.D.5.8.1.7.8.0.E.2.B.8.2.A.2.8.5.2...1..U0:..+.....7...1,0...F.i.l.e........c.h.3.4.1.p.t...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........h.w..V.\\|.i.X...*(R0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...3...0..

C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET915D.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	6678
Entropy (8bit):	5.864044927333677
Encrypted:	false
SSDEEP:	192:VyiC/xM4geO5ZafiWPty4HhGlFuD4JSXQYQLhQ66Auy:ZC/xM4geO5bY1HhuFuDISXQYQLhQ66fy
MD5:	0ECFFBA87B80F54F7016DA633DD9AB1C
SHA1:	E46668F0267651C248944766291791B0DEF36F1D
SHA-256:	0CBD34F89B0D11B386E07A825FAB531706F86E9DA44DCC536AC7C98A6D22C383
SHA-512:	1738BD22BE834B053CABE91F2F53A2686D2091B29CB3CABA9FD3033FB94108AD2DB42829EDC25F38DAE22BF46AC9BCE2CB5919CBF0B63C88BF7D7B22B2B2CA2D
Malicious:	false
Preview:	; CH341SER.INF..; Driver for CH341 (USB=>SERIAL chip) V3.4..; WDM&VXD for Windows 98/Me/2000/XP/Server2003/Vista/64bit Vista/Server2008/Win7/64bit Win7..; Copyright (C) W.ch 2001-2014..;....[Version]..Signature = "$Chicago$"..Class = Ports..ClassGuid = {4D36E978-E325-11CE-BFC1-08002BE10318}..Provider = %WinChipHead%..DriverVer = 08/08/2014, 3.4.2014.08..CatalogFile = CH341SER.CAT....[ControlFlags]..ExcludeFromSelect = USB\VID_1A86&PID_7523..ExcludeFromSelect = USB\VID_1A86&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523..ExcludeFromSelect = USB\VID_4348&PID_5523&REV_0250..ExcludeFromSelect = USBSERPORT\SER5523..ExcludeFromSelect = CH341PORT\SER5523....[Manufacturer]..%WinChipHead% = WinChipHead,NT,NTamd64,NTia64....[WinChipHead]..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_7523..%CH341ASER.DeviceDesc% = CH341SER_Install, USB\VID_1A86&PID_5523..%CH341SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&PID_5523..%CH340SER.DeviceDesc% = CH341SER_Install, USB\VID_4348&

C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET920A.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	5.92773729833597
Encrypted:	false
SSDEEP:	768:Di+r3IRgvQFTOlBg7L2RzlKx3CDjUKZeUSgqg0ACdLgLRHT31mlGdJeB:DvXvQclBgmRzu3wIEefACdsLRH7c5
MD5:	3C0A1B6F538E00F318C109F4A3F29515
SHA1:	8F337186BFDBFF75B11EB510E47C96479FC2327A
SHA-256:	DE6CA1AE927081AC622F99AB9C77B2127CBB2DF597B4123A4AA2F3DA52CD64D5
SHA-512:	1DB105044C6D6A9C671CB730E4A49982D3146DB54E51D6DEC34834144428CDCCD333E3980B4B92EEB3A0CE993EA2B773B47399155EBEB99363BA02B27B166ED8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QK..0%..0%..0%..0$..0%..^..0%..X..0%..H..0%.0?{..0%..]..0%.Rich.0%.........PE..d......T.........."..........*......p........................................@......."......................................................<...P.... ..x.......X............0.......................................................................................text...~........................... ..h.rdata..............................@..H.data...p...........................@....pdata..X...........................@..HINIT................................ ....rsrc...x.... ......................@..B.reloc..<....0......................@..B........................................................................................................................................................................................................................................................

C:\Windows\System32\SETBD7E.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\SETBDBE.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\SETBE2E.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\SETBE9D.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\SETBF1B.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	MS-DOS executable, LE executable for MS Windows (VxD)
Category:	dropped
Size (bytes):	20089
Entropy (8bit):	5.450760869632819
Encrypted:	false
SSDEEP:	384:GzXpHVPakjq16uZuDxqLOvCxXEAjT90DVBAMBTaU:05Hr+EGlXbT9uAQGU
MD5:	BE7438420F1DA854917F58CAD557476D
SHA1:	CAF1095963459AB66326CDC7ECAB29514938748F
SHA-256:	2A946F316EDD7E1185DEEAFDC2DE52B2D2843198BE098A724233C12F9CCD0DAE
SHA-512:	E35442704374A3B5E79BAD491F819AC82CE3054ED50AE1EEF0FC3ACBB6D3016BDBCDD63902236E247CB4B8279FF8FEC377AFA2753EBDBCA911D6D388D23A63DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.A.U.A.U.A.U.G._.E.U.G.^.D.U.A.U.\.U.RichA.U.........................LE......................................................................................p...\|...................u.......u................L..%............................................L..........D:......E ..........LCOD......... ..........ICOD.............................................................................................................................CH341SER........\........................"..."..."..."..."...)...a...a...v...v...v...............`.......C.......:...............!...D...e...e...o.....t...0..P..p$..L..`$..H.. $..D..0!..@... ..<... '....24.....0......,......(..@.'....2 .$........................P.........................................P...... ......0.............@...........................P...... ......@......P........'.......X......`.'....1l.8.\.`.d.h.l.p.x.

C:\Windows\System32\SETBF4C.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	MS-DOS executable, LE executable for MS Windows (VxD)
Category:	dropped
Size (bytes):	20089
Entropy (8bit):	5.450760869632819
Encrypted:	false
SSDEEP:	384:GzXpHVPakjq16uZuDxqLOvCxXEAjT90DVBAMBTaU:05Hr+EGlXbT9uAQGU
MD5:	BE7438420F1DA854917F58CAD557476D
SHA1:	CAF1095963459AB66326CDC7ECAB29514938748F
SHA-256:	2A946F316EDD7E1185DEEAFDC2DE52B2D2843198BE098A724233C12F9CCD0DAE
SHA-512:	E35442704374A3B5E79BAD491F819AC82CE3054ED50AE1EEF0FC3ACBB6D3016BDBCDD63902236E247CB4B8279FF8FEC377AFA2753EBDBCA911D6D388D23A63DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.A.U.A.U.A.U.G._.E.U.G.^.D.U.A.U.\.U.RichA.U.........................LE......................................................................................p...\|...................u.......u................L..%............................................L..........D:......E ..........LCOD......... ..........ICOD.............................................................................................................................CH341SER........\........................"..."..."..."..."...)...a...a...v...v...v...............`.......C.......:...............!...D...e...e...o.....t...0..P..p$..L..`$..H.. $..D..0!..@... ..<... '....24.....0......,......(..@.'....2 .$........................P.........................................P...... ......0.............@...........................P...... ......@......P........'.......X......`.'....1l.8.\.`.d.h.l.p.x.

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	74025
Entropy (8bit):	5.389839095690089
Encrypted:	false
SSDEEP:	1536:9btHoTB7cIxsw9pmDNHSJrR459D0w/smToijZQB4XKdJEBbWwSYcoMwVU5KaOsNv:9m
MD5:	10AFC0F46DFBE20179C535FC8AC7CFF2
SHA1:	5FF59972B66E327F3048B29ED47184B2D77BE94F
SHA-256:	2D7FA4779187CF8850C259456B52DC41334B62B64C336ECD3717A047BBCADADD
SHA-512:	CB8114E8C1BD734E743BA027F07643D3F759F7DB562A3846233AAFDF83619AADC96B2E50C1D900B9FCA956D12D845B0D46D0D36511AF26F7178DADCA5958050F
Malicious:	false
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

C:\Windows\System32\drivers\SETBD6D.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\System32\drivers\SETBDAE.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\System32\drivers\SETBE0D.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\System32\drivers\SETBE7D.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\System32\drivers\SETBF1C.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	19680
Entropy (8bit):	6.177213515531636
Encrypted:	false
SSDEEP:	384:3P2ie5TwxdKe9Vk5DT6Im2ULzQFAQOCsznlUt+3x:OiesSVTZm2ULz4A27wx
MD5:	B6F4A83911336E84BEAD8F8905285FAB
SHA1:	983786502F45AFB946F023D73E32A31BC1BBB91D
SHA-256:	0ECD1222627271EA31D3B64796992B6DAF5133D64CC26D43B3873CBE32FD59CB
SHA-512:	93E949EA7CF067E1CEC52F6DDE8678FC7BCEB2E947164040A087FDD63E799CC244EB6974323FC836F70AE777A67E9660F4E9E2DBB42DC0C4B099B1C2BE168964
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4.Y.Z.Y.Z.Y.Z.Y.[...Z...I.Z.Z...I.X.Z...\.X.Z.Y.Z.\.Z.RichY.Z.................PE..L....`nF...........#.....>..........X=.......;...... ... ...................@I......{-...............................<..U...X>..<....C..`...................`F..\|...p...8............................................................................text....9...... 9.................. ..h.data........;.......;..............@....edata..U....<..`....<..............@..@INIT........@=......@=.............. ....rsrc...`....C..`....C..............@..B.reloc......`F......`F..............@..B.........B...B......f?...?...?...?...?...?...?...@...@..6@..R@..n@..\|@...@...@...@...@..X?...A...A..&A..<A..NA..^A..vA...A...A...A...A...A...B...B..4B..JB..fB..F?...@..<?...................`nF................@I.......`nF................PJ.......`nF.................b..................>0.s.E=s;8\F.O../J?.

C:\Windows\System32\drivers\SETBF5D.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	19680
Entropy (8bit):	6.177213515531636
Encrypted:	false
SSDEEP:	384:3P2ie5TwxdKe9Vk5DT6Im2ULzQFAQOCsznlUt+3x:OiesSVTZm2ULz4A27wx
MD5:	B6F4A83911336E84BEAD8F8905285FAB
SHA1:	983786502F45AFB946F023D73E32A31BC1BBB91D
SHA-256:	0ECD1222627271EA31D3B64796992B6DAF5133D64CC26D43B3873CBE32FD59CB
SHA-512:	93E949EA7CF067E1CEC52F6DDE8678FC7BCEB2E947164040A087FDD63E799CC244EB6974323FC836F70AE777A67E9660F4E9E2DBB42DC0C4B099B1C2BE168964
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4.Y.Z.Y.Z.Y.Z.Y.[...Z...I.Z.Z...I.X.Z...\.X.Z.Y.Z.\.Z.RichY.Z.................PE..L....`nF...........#.....>..........X=.......;...... ... ...................@I......{-...............................<..U...X>..<....C..`...................`F..\|...p...8............................................................................text....9...... 9.................. ..h.data........;.......;..............@....edata..U....<..`....<..............@..@INIT........@=......@=.............. ....rsrc...`....C..`....C..............@..B.reloc......`F......`F..............@..B.........B...B......f?...?...?...?...?...?...?...@...@..6@..R@..n@..\|@...@...@...@...@..X?...A...A..&A..<A..NA..^A..vA...A...A...A...A...A...B...B..4B..JB..fB..F?...@..<?...................`nF................@I.......`nF................PJ.......`nF.................b..................>0.s.E=s;8\F.O../J?.

C:\Windows\Temp\OLDBD9C.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\Temp\OLDBDBC.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\OLDBDEC.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\Temp\OLDBE1C.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\OLDBE5C.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.24815654617757
Encrypted:	false
SSDEEP:	768:BUkA6vcfLLJQ0y0Apg++LVhf3/CsItc5muLuyJGN:q4uJQ70Apg++LLfvbJAeulN
MD5:	A9FC675D0029A525335B106487C7D578
SHA1:	0D8B829640DC907EE9B2E6DB1C43F8459D63E2E2
SHA-256:	50877BC8EA82BBAC833D25C9AC248E6FC9A240AB3C6D7E2C115667532C23676F
SHA-512:	8CF58435D597452A9D34E02E23FD78F18AB06D76FEB7531609EED58B369E10F08EE3D61B2A80A45196F6D76F2AC6249726D01E30102F1A6671B81F275C845238
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................6..OW..OW..OW..OW...W...t..FW..._.NW...X.NW...X.NW...X.NW..RichOW..........................PE..L......T............................'.......................................................................................X...d.......P.......................$.......................................................4............................text............................... ..h.rdata..4...........................@..H.data...@...........................@...INIT....................

C:\Windows\Temp\OLDBE8B.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6712
Entropy (8bit):	3.943977525490966
Encrypted:	false
SSDEEP:	96:UeIX+tip7uemP4I3bYFE6H6IyYrL9Cu6d0CGeSG4qb6Yiigx9BGWsy:Uegda4Irx6HhGLbqig7Lsy
MD5:	69B6FEC924C30042D329AE56CA8925CC
SHA1:	54E8D7D9004C8C819FE2E8BF7A1306BCBDD5ECBF
SHA-256:	45494CE819C1B5C21ABB72DC47A0CA36807E0ED74CE55B631DA174C77A9B24DB
SHA-512:	A6BC866712C2B6D2EC115341DE6EC5B352505FFF159AF967B03D27AD767164271F147780639E836A4DA54F4B2B688591EDF1374802CB5F7340062AEE9B341ABC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................l.......^...............Rich............PE..L...c..B ..........!......................... ....@..........................P..................................................<....0..8....................@..D...@...T...............................................4............................text............................... ..`.data...`.... ......................@....rsrc...8....0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\OLDBF48.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	MS-DOS executable, LE executable for MS Windows (VxD)
Category:	dropped
Size (bytes):	20089
Entropy (8bit):	5.450760869632819
Encrypted:	false
SSDEEP:	384:GzXpHVPakjq16uZuDxqLOvCxXEAjT90DVBAMBTaU:05Hr+EGlXbT9uAQGU
MD5:	BE7438420F1DA854917F58CAD557476D
SHA1:	CAF1095963459AB66326CDC7ECAB29514938748F
SHA-256:	2A946F316EDD7E1185DEEAFDC2DE52B2D2843198BE098A724233C12F9CCD0DAE
SHA-512:	E35442704374A3B5E79BAD491F819AC82CE3054ED50AE1EEF0FC3ACBB6D3016BDBCDD63902236E247CB4B8279FF8FEC377AFA2753EBDBCA911D6D388D23A63DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;.A.U.A.U.A.U.G._.E.U.G.^.D.U.A.U.\.U.RichA.U.........................LE......................................................................................p...\|...................u.......u................L..%............................................L..........D:......E ..........LCOD......... ..........ICOD.............................................................................................................................CH341SER........\........................"..."..."..."..."...)...a...a...v...v...v...............`.......C.......:...............!...D...e...e...o.....t...0..P..p$..L..`$..H.. $..D..0!..@... ..<... '....24.....0......,......(..@.'....2 .$........................P.........................................P...... ......0.............@...........................P...... ......@......P........'.......X......`.'....1l.8.\.`.d.h.l.p.x.

C:\Windows\Temp\OLDBF59.tmp

Download File

Process:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
File Type:	PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	19680
Entropy (8bit):	6.177213515531636
Encrypted:	false
SSDEEP:	384:3P2ie5TwxdKe9Vk5DT6Im2ULzQFAQOCsznlUt+3x:OiesSVTZm2ULz4A27wx
MD5:	B6F4A83911336E84BEAD8F8905285FAB
SHA1:	983786502F45AFB946F023D73E32A31BC1BBB91D
SHA-256:	0ECD1222627271EA31D3B64796992B6DAF5133D64CC26D43B3873CBE32FD59CB
SHA-512:	93E949EA7CF067E1CEC52F6DDE8678FC7BCEB2E947164040A087FDD63E799CC244EB6974323FC836F70AE777A67E9660F4E9E2DBB42DC0C4B099B1C2BE168964
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4.Y.Z.Y.Z.Y.Z.Y.[...Z...I.Z.Z...I.X.Z...\.X.Z.Y.Z.\.Z.RichY.Z.................PE..L....`nF...........#.....>..........X=.......;...... ... ...................@I......{-...............................<..U...X>..<....C..`...................`F..\|...p...8............................................................................text....9...... 9.................. ..h.data........;.......;..............@....edata..U....<..`....<..............@..@INIT........@=......@=.............. ....rsrc...`....C..`....C..............@..B.reloc......`F......`F..............@..B.........B...B......f?...?...?...?...?...?...?...@...@..6@..R@..n@..\|@...@...@...@...@..X?...A...A..&A..<A..NA..^A..vA...A...A...A...A...A...B...B..4B..JB..fB..F?...@..<?...................`nF................@I.......`nF................PJ.......`nF.................b..................>0.s.E=s;8\F.O../J?.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Entropy (8bit):	7.499781496634125
TrID:	Win32 Executable (generic) a (10002005/4) 94.89% WinRAR Self Extracting archive (518540/5) 4.92% Windows Screen Saver (13104/52) 0.12% Win32 Executable Watcom C++ (generic) (2663/121) 0.03% Generic Win/DOS Executable (2004/3) 0.02%
File name:	CH341SER.EXE
File size:	243'321 bytes
MD5:	1af3fdebfbab3e247feb588aea64dd64
SHA1:	d557a8978877199bafe2e7baac63adab17bed05d
SHA256:	9cf96fddf474eda80f2b4c09f8ef19443cf6768429819e4cba7b869291b7b8b5
SHA512:	d0b7c4dd6726d8e1e894654f671bf4e00c1fdb91fc46f40bb02fd689ff2cca8036b92c1358e10f810fc3e1b518cbcf91b0a1e3a3ee8d36d179ec7bab43ea35c9
SSDEEP:	3072:h8U2yJN5f661xRZbALxB1Ojdgx8GYXfPGJ6I7onkduFJcc0WMc23dFORPSPo46Om:h8U2qy6rRZb7jxGYXDFJmWM93dYlGAGs
TLSH:	4C34E110BBD241F6D0811B3018BD6376DA38FF212E70F299DBDA5D5A2C34612B51EBB6
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	471e1f4de743726d

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x465278A2 [Tue May 22 04:59:14 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bc5ce990cf54f8d435a68eb97512f73e

Entrypoint Preview

Instruction
call 00007FE5B0DFFD54h
push eax
call 00007FE5B0E10364h
add byte ptr [eax], al
add byte ptr [eax], al
nop
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov ebx, dword ptr [ebp+0Ch]
mov esi, dword ptr [ebp+08h]
mov edx, ebx
push dword ptr [ebp+14h]
push 004150E1h
push 00000000h
push 00000000h
mov eax, esi
mov ecx, edi
call 00007FE5B0E01977h
sub ebx, 00000110h
je 00007FE5B0DFD227h
dec ebx
je 00007FE5B0DFD236h
jmp 00007FE5B0DFD279h
push dword ptr [ebp+14h]
push 00000066h
push esi
call 00007FE5B0E105C3h
mov eax, 00000001h
jmp 00007FE5B0DFD269h
and di, FFFFh
dec di
je 00007FE5B0DFD229h
dec di
je 00007FE5B0DFD245h
jmp 00007FE5B0DFD252h
push 00000080h
push 004169A4h
push 00000065h
push esi
call 00007FE5B0E10509h
push 00000001h
push esi
call 00007FE5B0E104E3h
mov eax, 00000001h
jmp 00007FE5B0DFD237h
push 00000000h
push esi
call 00007FE5B0E104D4h
mov eax, 00000001h
jmp 00007FE5B0DFD228h
xor eax, eax
jmp 00007FE5B0DFD224h
xor eax, eax
pop edi
pop esi
pop ebx
pop ebp
retn 0010h
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov ebx, dword ptr [ebp+0Ch]
mov esi, dword ptr [ebp+08h]
mov edx, ebx
push dword ptr [ebp+14h]
push 004150EEh
push 00000000h
push 00000000h
mov eax, esi
mov ecx, edi
call 00007FE5B0E018E4h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c000	0xfd1	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x2bcc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14000	0x13600	False	0.5781502016129032	data	6.444189953264481	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x15000	0x7000	0xa00	False	0.496484375	data	4.918269561248089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1c000	0x1000	0x1000	False	0.38232421875	GeoSwath RDF	5.123895815314081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1d000	0x4000	0x3c00	False	0.24368489583333333	data	3.5286611763859055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x1d420	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m	Russian	Russia	0.2581721147431621
RT_ICON	0x1dfd8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.40591397849462363
RT_DIALOG	0x1e2c0	0x282	data	Russian	Russia	0.5046728971962616
RT_DIALOG	0x1e544	0x13a	data	Russian	Russia	0.6019108280254777
RT_DIALOG	0x1e680	0xe8	data	Russian	Russia	0.6939655172413793
RT_DIALOG	0x1e768	0x12e	data	Russian	Russia	0.5794701986754967
RT_DIALOG	0x1e898	0x338	data	Russian	Russia	0.4344660194174757
RT_DIALOG	0x1ebd0	0x222	data	Russian	Russia	0.5604395604395604
RT_STRING	0x1edf4	0x22c	data	Russian	Russia	0.420863309352518
RT_STRING	0x1f020	0x3b2	data	Russian	Russia	0.3964059196617336
RT_STRING	0x1f3d4	0x212	data	Russian	Russia	0.4339622641509434
RT_STRING	0x1f5e8	0x27e	data	Russian	Russia	0.4122257053291536
RT_RCDATA	0x1f868	0x10	data			1.5
RT_GROUP_ICON	0x1f878	0x14	data			1.15
RT_MANIFEST	0x1f88c	0x33f	XML 1.0 document, ASCII text, with CRLF line terminators	Russian	Russia	0.48736462093862815

Imports

DLL	Import
ADVAPI32.DLL	AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, SetFileSecurityA, SetFileSecurityW
KERNEL32.DLL	CloseHandle, CompareStringA, CreateDirectoryA, CreateDirectoryW, CreateFileA, CreateFileW, DeleteFileA, DeleteFileW, DosDateTimeToFileTime, ExitProcess, ExpandEnvironmentStringsA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, FindResourceA, FreeLibrary, GetCPInfo, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcess, GetDateFormatA, GetFileAttributesA, GetFileAttributesW, GetFileType, GetFullPathNameA, GetLastError, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetNumberFormatA, GetProcAddress, GetProcessHeap, GetStdHandle, GetTempPathA, GetTickCount, GetTimeFormatA, GetVersionExA, GlobalAlloc, HeapAlloc, HeapFree, HeapReAlloc, IsDBCSLeadByte, LoadLibraryA, LocalFileTimeToFileTime, MoveFileA, MoveFileExA, MultiByteToWideChar, ReadFile, SetCurrentDirectoryA, SetEndOfFile, SetEnvironmentVariableA, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFileTime, SetLastError, Sleep, SystemTimeToFileTime, WaitForSingleObject, WideCharToMultiByte, WriteFile, lstrcmpiA, lstrlenA
COMCTL32.DLL
COMDLG32.DLL	CommDlgExtendedError, GetOpenFileNameA, GetSaveFileNameA
GDI32.DLL	DeleteObject
SHELL32.DLL	SHBrowseForFolderA, SHChangeNotify, SHFileOperationA, SHGetFileInfoA, SHGetMalloc, SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA
USER32.DLL	CharToOemA, CharToOemBuffA, CharUpperA, CopyRect, CreateWindowExA, DefWindowProcA, DestroyIcon, DestroyWindow, DialogBoxParamA, DispatchMessageA, EnableWindow, EndDialog, FindWindowExA, GetClassNameA, GetClientRect, GetDlgItem, GetDlgItemTextA, GetMessageA, GetParent, GetSysColor, GetSystemMetrics, GetWindow, GetWindowLongA, GetWindowRect, GetWindowTextA, IsWindow, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadIconA, LoadStringA, MapWindowPoints, MessageBoxA, OemToCharA, OemToCharBuffA, PeekMessageA, PostMessageA, RegisterClassExA, SendDlgItemMessageA, SendMessageA, SetDlgItemTextA, SetFocus, SetMenu, SetWindowLongA, SetWindowPos, SetWindowTextA, ShowWindow, TranslateMessage, UpdateWindow, WaitForInputIdle, wsprintfA, wvsprintfA
OLE32.DLL	CLSIDFromString, CoCreateInstance, CreateStreamOnHGlobal, OleInitialize, OleUninitialize

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

• CH341SER.EXE
• SETUP.EXE
• DRVSETUP64.exe
• drvinst.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• CH341SER.EXE
• SETUP.EXE
• DRVSETUP64.exe
• drvinst.exe

Click to jump to process

Target ID:	1
Start time:	19:37:36
Start date:	11/12/2023
Path:	C:\Users\user\Desktop\CH341SER.EXE
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CH341SER.EXE
Imagebase:	0x400000
File size:	243'321 bytes
MD5 hash:	1AF3FDEBFBAB3E247FEB588AEA64DD64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:37:36
Start date:	11/12/2023
Path:	C:\WCH.CN\CH341SER\SETUP.EXE
Wow64 process (32bit):	true
Commandline:	"C:\WCH.CN\CH341SER\SETUP.EXE"
Imagebase:	0x400000
File size:	100'288 bytes
MD5 hash:	181F68547D52360FC142AC3ADC2436B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:37:37
Start date:	11/12/2023
Path:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe
Wow64 process (32bit):	false
Commandline:	C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.EXE
Imagebase:	0x1000000
File size:	47'040 bytes
MD5 hash:	1FE688688C2082B37827DB54C4282AF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:38:41
Start date:	11/12/2023
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\CH341SER.INF" "9" "4dbd0d02f" "0000000000000168" "WinSta0\Default" "000000000000014C" "208" "C:\WCH.CN\CH341SER"
Imagebase:	0x7ff74f210000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CH341SER.EXE

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET891F.tmp

C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET89BC.tmp

C:\Users\user\AppData\Local\Temp\{75f2de58-5fbd-2644-94ef-2bf0ceab99a3}\SET8A49.tmp

C:\WCH.CN\CH341SER\CH341PT.DLL

C:\WCH.CN\CH341SER\CH341S64.SYS

C:\WCH.CN\CH341SER\CH341S98.SYS

C:\WCH.CN\CH341SER\CH341SER.INF

C:\WCH.CN\CH341SER\CH341SER.SYS

C:\WCH.CN\CH341SER\CH341SER.VXD

C:\WCH.CN\CH341SER\DRVSETUP64\DRVSETUP64.exe

C:\WCH.CN\CH341SER\SETUP.EXE

C:\WCH.CN\CH341SER\ch341SER.CAT

C:\Windows\INF\oem4.inf

C:\Windows\INF\setupapi.dev.log

C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET90CF.tmp

C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET915D.tmp

C:\Windows\System32\DriverStore\Temp\{0b35f042-1f13-5143-aa87-020a0ac731ad}\SET920A.tmp

C:\Windows\System32\SETBD7E.tmp

C:\Windows\System32\SETBDBE.tmp

C:\Windows\System32\SETBE2E.tmp

C:\Windows\System32\SETBE9D.tmp

C:\Windows\System32\SETBF1B.tmp

C:\Windows\System32\SETBF4C.tmp

C:\Windows\System32\catroot2\dberr.txt

Windows Analysis Report
CH341SER.EXE