ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae

Analysis

max time kernel
152s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
Size

6.4MB
MD5

e1e2d47aa65335fa2f4afc3cb080d91a
SHA1

0aa097e3cbb9dc3f250fb91c6418ed1cd310aa21
SHA256

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae
SHA512

8f7794f2678704e3ac2637e960dc295b3e06c0487d12db44f9ebfcd58e0f3901fe3471df593fabe69f1b667ec8a8bfcf9102cec0dfb88e4340ca74bd431be554
SSDEEP

98304:/SipA1YsrGQtIsBYpoc6cKu+y1FlSv0ibuhaXhK6UzoK4/V:qxOsSWIFj+u8Apy/V

Score

9^/10

bootkit evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\rserver30\Update\getinfo.dll	acprotect

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Drops file in Drivers directory 4 IoCs

Processes:

DrvInst.exeae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\rminiv3.sys	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\drivers\xlkfs.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET202F.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET202F.tmp	DrvInst.exe

Executes dropped EXE 11 IoCs

Processes:

sc.exesc.exedevcon.exedevcon.exesc.exesc.exesc.exesc.exerserver3.exeFamItrfc.ExeFamItrfc.Exe

pid process

2000 sc.exe
588 sc.exe
1636 devcon.exe
1780 devcon.exe
960 sc.exe
868 sc.exe
1532 sc.exe
388 sc.exe
1912 rserver3.exe
1480 FamItrfc.Exe
1768 FamItrfc.Exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1760 netsh.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2000	sc.exe
588	sc.exe
1636	devcon.exe
1780	devcon.exe
960	sc.exe
868	sc.exe
1532	sc.exe
388	sc.exe
1912	rserver3.exe
1480	FamItrfc.Exe
1768	FamItrfc.Exe

pid	process
1760	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1728-55-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
\Windows\SysWOW64\rserver30\Update\getinfo.dll	upx
behavioral1/memory/1728-80-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1728-170-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Loads dropped DLL 33 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.execmd.exerserver3.exeFamItrfc.ExeFamItrfc.Exerundll32.exe

pid	process
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1564	rundll32.exe
1564	rundll32.exe
1564	rundll32.exe
1564	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1728-55-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1728-80-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral1/memory/1728-170-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe

Drops file in System32 directory 64 IoCs

Processes:

DrvInst.exeae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exeDrvInst.execmd.exerserver3.exedevcon.exeSecEdit.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\rserver30	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\RCursor.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rminiv3.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\64bit\devcon.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\SET1864.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.inf	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\Radm_log.htm	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\Update\ds.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\tp.inf	cmd.exe
File created	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\SET1833.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\rserver30\Radm_log.htm	rserver3.exe
File created	C:\Windows\SysWOW64\rserver30\FirewallInstallHelper.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.cat	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\Update\Update.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\SET1874.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\mirrorv3.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\FamItrf2.Exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\64bit\Fam64Helper.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\64bit\raddrvv3.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\SET1874.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\rchatx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\ntstest	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rserver30\tp.log	SecEdit.exe
File created	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\SET1853.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\mirrorv3.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\devcon.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rschatx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rsetup.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\voicex.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\vcintsx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\SysWOW64\rserver30\tp.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_neutral_464860d34203ec0c\mirrorv3.PNF	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\reg.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\mirrorv3.dll	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\nts64helper.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\64bit\rsetup64.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_neutral_464860d34203ec0c\mirrorv3.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	devcon.exe
File created	C:\Windows\SysWOW64\rserver30\WinLpcDl2.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\64bit\mirrorv3.inf	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\rminiv3.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\2052.lng_rad	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\raddrvv3.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\raudiox.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rserver3.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\rsl.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{482b2167-60d7-6e0a-4beb-ba6d46a5fa2b}\SET1833.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\64bit\rminiv3.sys	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\SET203F.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\CHATLOGS\info.txt	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\ChatLPCx.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\WinLpcDl.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\wsock32.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\64bit\mirrorv3.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\install.cmd	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\R_sui.dll	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
File created	C:\Windows\SysWOW64\rserver30\sc.exe	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe

Drops file in Windows directory 14 IoCs

Processes:

DrvInst.exeDrvInst.exedevcon.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	devcon.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

868 sc.exe
1532 sc.exe
388 sc.exe
2000 sc.exe
588 sc.exe
960 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
868	sc.exe
1532	sc.exe
388	sc.exe
2000	sc.exe
588	sc.exe
960	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exerserver3.exeFamItrfc.ExeFamItrfc.Exerundll32.exe

pid	process
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1480	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1912	rserver3.exe
1912	rserver3.exe
1564	rundll32.exe
1564	rundll32.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe
1912	rserver3.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

devcon.exeDrvInst.exeDrvInst.exerserver3.exeFamItrfc.ExeFamItrfc.Exerundll32.exe

description	pid	process
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	2032	DrvInst.exe
Token: SeRestorePrivilege	1780	devcon.exe
Token: SeLoadDriverPrivilege	1780	devcon.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeRestorePrivilege	1652	DrvInst.exe
Token: SeLoadDriverPrivilege	1652	DrvInst.exe
Token: SeLoadDriverPrivilege	1652	DrvInst.exe
Token: SeTakeOwnershipPrivilege	1912	rserver3.exe
Token: SeTcbPrivilege	1912	rserver3.exe
Token: SeTcbPrivilege	1480	FamItrfc.Exe
Token: SeAssignPrimaryTokenPrivilege	1480	FamItrfc.Exe
Token: SeCreateTokenPrivilege	1480	FamItrfc.Exe
Token: SeDebugPrivilege	1480	FamItrfc.Exe
Token: SeBackupPrivilege	1480	FamItrfc.Exe
Token: SeRestorePrivilege	1480	FamItrfc.Exe
Token: SeBackupPrivilege	1480	FamItrfc.Exe
Token: SeRestorePrivilege	1480	FamItrfc.Exe
Token: SeTcbPrivilege	1768	FamItrfc.Exe
Token: SeAssignPrimaryTokenPrivilege	1768	FamItrfc.Exe
Token: SeCreateTokenPrivilege	1768	FamItrfc.Exe
Token: SeDebugPrivilege	1768	FamItrfc.Exe
Token: SeIncreaseQuotaPrivilege	1564	rundll32.exe
Token: SeSecurityPrivilege	1564	rundll32.exe
Token: SeTakeOwnershipPrivilege	1564	rundll32.exe
Token: SeLoadDriverPrivilege	1564	rundll32.exe
Token: SeSystemProfilePrivilege	1564	rundll32.exe
Token: SeSystemtimePrivilege	1564	rundll32.exe
Token: SeProfSingleProcessPrivilege	1564	rundll32.exe
Token: SeIncBasePriorityPrivilege	1564	rundll32.exe
Token: SeCreatePagefilePrivilege	1564	rundll32.exe

Suspicious use of FindShellTrayWindow 60 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exeFamItrfc.Exe

pid	process
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exeFamItrfc.Exe

pid	process
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe
1768	FamItrfc.Exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.execmd.exenet.exenet.exe

description	pid	process	target process
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1728 wrote to memory of 1304	1728	ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe	cmd.exe
PID 1304 wrote to memory of 1272	1304	cmd.exe	net.exe
PID 1304 wrote to memory of 1272	1304	cmd.exe	net.exe
PID 1304 wrote to memory of 1272	1304	cmd.exe	net.exe
PID 1304 wrote to memory of 1272	1304	cmd.exe	net.exe
PID 1272 wrote to memory of 1208	1272	net.exe	net1.exe
PID 1272 wrote to memory of 1208	1272	net.exe	net1.exe
PID 1272 wrote to memory of 1208	1272	net.exe	net1.exe
PID 1272 wrote to memory of 1208	1272	net.exe	net1.exe
PID 1304 wrote to memory of 2000	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 2000	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 2000	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 2000	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 1772	1304	cmd.exe	net.exe
PID 1304 wrote to memory of 1772	1304	cmd.exe	net.exe
PID 1304 wrote to memory of 1772	1304	cmd.exe	net.exe
PID 1304 wrote to memory of 1772	1304	cmd.exe	net.exe
PID 1772 wrote to memory of 1932	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1932	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1932	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1932	1772	net.exe	net1.exe
PID 1304 wrote to memory of 588	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 588	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 588	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 588	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 268	1304	cmd.exe	SecEdit.exe
PID 1304 wrote to memory of 268	1304	cmd.exe	SecEdit.exe
PID 1304 wrote to memory of 268	1304	cmd.exe	SecEdit.exe
PID 1304 wrote to memory of 268	1304	cmd.exe	SecEdit.exe
PID 1304 wrote to memory of 1636	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1636	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1636	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1636	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1780	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1780	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1780	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 1780	1304	cmd.exe	devcon.exe
PID 1304 wrote to memory of 960	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 960	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 960	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 960	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 868	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 868	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 868	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 868	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 1532	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 1532	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 1532	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 1532	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 388	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 388	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 388	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 388	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	netsh.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	netsh.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	netsh.exe
PID 1304 wrote to memory of 1760	1304	cmd.exe	netsh.exe
PID 1304 wrote to memory of 320	1304	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe
"C:\Users\Admin\AppData\Local\Temp\ae0ce326a2bb42d4b4841ae68b4e9e3a90c55a7dcf5d61665538f6c157a6b7ae.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\rserver30\install.cmd
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\net.exe
net stop rserver3
3⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rserver3
4⤵
PID:1208

C:\Windows\SysWOW64\rserver30\sc.exe
sc delete rserver3
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:2000

C:\Windows\SysWOW64\net.exe
net stop raddrvv3
3⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop raddrvv3
4⤵
PID:1932

C:\Windows\SysWOW64\rserver30\sc.exe
sc delete raddrvv3
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:588

C:\Windows\SysWOW64\SecEdit.exe
secedit /configure /db tp.sdb /cfg tp.inf /log tp.log
3⤵
- Drops file in System32 directory
PID:268

C:\Windows\SysWOW64\rserver30\devcon.exe
devcon remove radmin_mirror_v3
3⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\rserver30\devcon.exe
devcon install mirrorv3.inf radmin_mirror_v3
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\rserver30\sc.exe
sc create Rserver3 binpath= "C:\Windows\SysWOW64\rserver30\rserver3.exe /service" type= own type= interact start= auto
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:960

C:\Windows\SysWOW64\rserver30\sc.exe
sc config Rserver3 DisplayName= "Radmin Server V3"
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:868

C:\Windows\SysWOW64\rserver30\sc.exe
sc failure Rserver3 reset= 0 actions= restart/0
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:1532

C:\Windows\SysWOW64\rserver30\sc.exe
sc create raddrvv3 binpath= "C:\Windows\SysWOW64\rserver30\raddrvv3.sys" type= kernel start= system group= Base displayname= raddrvv3
3⤵
- Executes dropped EXE
- Launches sc.exe
PID:388

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\SysWOW64\rserver30\rserver3.exe" rserver3 ENABLE
3⤵
- Modifies Windows Firewall
PID:1760

C:\Windows\SysWOW64\net.exe
net start Rserver3
3⤵
PID:320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Rserver3
4⤵
PID:596

C:\Windows\SysWOW64\net.exe
net start raddrvv3
3⤵
PID:1172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start raddrvv3
4⤵
PID:988

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\SysWOW64\rserver30\wsock32.dll",ntskd
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{439cde02-ff2f-1288-6b5c-716e257f9f14}\mirrorv3.inf" "9" "60bbf019f" "0000000000000574" "WinSta0\Default" "00000000000004E4" "208" "c:\windows\syswow64\rserver30"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "mirrorv3.inf:Mirror.Mfg.NTamd64:mirrorv3:3.1.0.0:radmin_mirror_v3" "60bbf019f" "0000000000000574" "00000000000005BC" "00000000000005C4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\rserver30\rserver3.exe
C:\Windows\SysWOW64\rserver30\rserver3.exe /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
"C:\Windows\SysWOW64\rserver30\FamItrfc.Exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
"C:\Windows\SysWOW64\rserver30\FamItrfc.Exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{439CD~1\mirrorv3.dll
Filesize
16KB

MD5
116bbd9926614070f4f01393d10eca08

SHA1
505ceba65e29daa4e091f7d4c497cf654344795d

SHA256
3cbe182b0828ef0e9533beecdad674f06dddc30b73a2c621e2460dadebd9b407

SHA512
ff426e88d850dd8da2f68109c7c69ce3da92287a307cfb7883c857c4f29ba8e7192b897c9851fca4943038eab0149fc259f2c997e4744fe40e32066437098e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\{439CD~1\rminiv3.sys
Filesize
5KB

MD5
090ee52afdff9932909c480bdda0c8ce

SHA1
ae787dbf6a539818bccd1df037cdfe50ad5d08c2

SHA256
91be40f2b4d9912979611e0545f6a1e9d8af81ac149a11f46180ef5015e58cdf

SHA512
9b36d5afb6023d9d6a83b7d95d63ee2cfaa86e79021fda8400131c0ea742fab5e485a1eb226397d1677145295c897da248610aeb1a13211aa67d5af839431ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{439cde02-ff2f-1288-6b5c-716e257f9f14}\mirrorv3.cat
Filesize
10KB

MD5
73b8eb012919dace778b41145c6df3ad

SHA1
0253ebc34886237d5a5d469ec48eb48077842aa5

SHA256
26d93aeacad81c893000e86dfe7fbaf6e6972861656567e211ac9db6f065812d

SHA512
a460d473dd76ecae59b29569f3eb4f81ac60aada07a7a609006969fc63236a3625570e54b6bf73adf403190cef0256746a1256850d28364a9067752ba7258653

Download Submit
C:\Users\Admin\AppData\Local\Temp\{439cde02-ff2f-1288-6b5c-716e257f9f14}\mirrorv3.inf
Filesize
2KB

MD5
f5273aae90874a5ba71b05642dff86af

SHA1
f532d104c395600492d4bf21951cceea42fe9178

SHA256
ebee10f12b7fc2d102b8cd1c173afb7494d9f77b938caeafe0873c4dabf86e4d

SHA512
7d26877b9af860db40ab16da0886889ede8a751f9ff77dabac0365751da02db5212f0fd413ae0b4bcf960bc515551e28f3301fc12e61690783c0ee8a42f303d6

Download Submit
C:\Windows\INF\oem2.inf
Filesize
2KB

MD5
f5273aae90874a5ba71b05642dff86af

SHA1
f532d104c395600492d4bf21951cceea42fe9178

SHA256
ebee10f12b7fc2d102b8cd1c173afb7494d9f77b938caeafe0873c4dabf86e4d

SHA512
7d26877b9af860db40ab16da0886889ede8a751f9ff77dabac0365751da02db5212f0fd413ae0b4bcf960bc515551e28f3301fc12e61690783c0ee8a42f303d6

Download Submit
C:\Windows\SysWOW64\rserver30\ChatLPCx.dll
Filesize
369KB

MD5
18a6aeaf036d4fe4ea3c798a4f848f1d

SHA1
5e07b13622dcba361201965f5f043c101217a5c8

SHA256
5d393d82670070c9b3be2cdae8c7de654ef3439edc30dc60b1882a7003706a91

SHA512
1ff784a32d6c8f72e206f11196010cd958129651d91d0cdc1fb6b177ebd4f3906bcb072fa1e802bd5b8ff5ee9cb701a1c6f80b7c26b501f945d1d94009cbe7a1

Download Submit
C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
Filesize
157KB

MD5
797338bb6bc3bf803cd55fbf086dcd0d

SHA1
7330c4e446f085c13561130aafc281059eabccc2

SHA256
86ecbd5086d71b528385653f0d9ced4bfd50dfcc9201d228ea114d742964823c

SHA512
643a47bca9d9398b2a8aff1a11a0468a77a98409bdb70cb74392400b964292eabd0af89a0272779e89328e12d666e0edbc401c0346e7c1f901a2823e216b8470

Download Submit
C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
Filesize
157KB

MD5
797338bb6bc3bf803cd55fbf086dcd0d

SHA1
7330c4e446f085c13561130aafc281059eabccc2

SHA256
86ecbd5086d71b528385653f0d9ced4bfd50dfcc9201d228ea114d742964823c

SHA512
643a47bca9d9398b2a8aff1a11a0468a77a98409bdb70cb74392400b964292eabd0af89a0272779e89328e12d666e0edbc401c0346e7c1f901a2823e216b8470

Download Submit
C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
Filesize
157KB

MD5
797338bb6bc3bf803cd55fbf086dcd0d

SHA1
7330c4e446f085c13561130aafc281059eabccc2

SHA256
86ecbd5086d71b528385653f0d9ced4bfd50dfcc9201d228ea114d742964823c

SHA512
643a47bca9d9398b2a8aff1a11a0468a77a98409bdb70cb74392400b964292eabd0af89a0272779e89328e12d666e0edbc401c0346e7c1f901a2823e216b8470

Download Submit
C:\Windows\SysWOW64\rserver30\Radm_log.htm
Filesize
332B

MD5
0d1c011616363b95aea3a609c858f1e1

SHA1
cb7c0973eded2cd89ea1843c2fb20364a361e808

SHA256
753cc8dbddc14ddc2e56c5f5ef65efc38ba197750d69c011550fc9b61160550d

SHA512
dbfd726640c1c732a057511dee5a3e32f65facdfe08c1a997bb3446dc6985296dbc570d0703e4479ddc98acca6992be2c0a71a40531ff2f0f8d53b5d340f9740

Download Submit
C:\Windows\SysWOW64\rserver30\WSOCK32.dll
Filesize
73KB

MD5
550bbb5693887738e28955cea4497308

SHA1
b1e9a54702dd55283706e13487fa23da772c10bb

SHA256
6e832819a858afd9319f2cd975a99183505bab00f7cea0492b943c2ebb66c95b

SHA512
efd56fd2490c559413e17546e1c6ca14a30005031b87c330ebcf6122a31eea3ae2952e57479967ff92448eb490cbf1f0695873b6251e859cebad5aded5a400d8

Download Submit
C:\Windows\SysWOW64\rserver30\WinLpcDl.dll
Filesize
224KB

MD5
d3eafd4f8cda4050cc67db87de177c70

SHA1
09813c43f2fbfa55652c3586317e37def0bcb446

SHA256
6418c051f21e3bfdb196a8d31873fd3ece490a100ac447f90e87c1c3a2a57cb1

SHA512
5ae3f0a757c829a96b37b79c491f8e53e8d9cc513c1700780e949d653b3a0e87517bbc91ef288ea3ba9ca6a4cac0b2c1e4f5bb6e462af31062c944fc930fda87

Download Submit
C:\Windows\SysWOW64\rserver30\devcon.exe
Filesize
79KB

MD5
0eef488df0e3b2ed497315d6ae2111c6

SHA1
dc5764dd42d60a772456fb231327cbfbdd4886e3

SHA256
8f584354d11cc729c0e113c940fce111e881f0fa6c506770759693a5cab7d918

SHA512
105c626d921379ec500e575aeb164ada4852935a54140f123e05c31c5ad707f19921fb842b1ae33f2a0a71b3b30b77312fae5ed24fdc9ccc4580a9952eba52c8

Download Submit
C:\Windows\SysWOW64\rserver30\devcon.exe
Filesize
79KB

MD5
0eef488df0e3b2ed497315d6ae2111c6

SHA1
dc5764dd42d60a772456fb231327cbfbdd4886e3

SHA256
8f584354d11cc729c0e113c940fce111e881f0fa6c506770759693a5cab7d918

SHA512
105c626d921379ec500e575aeb164ada4852935a54140f123e05c31c5ad707f19921fb842b1ae33f2a0a71b3b30b77312fae5ed24fdc9ccc4580a9952eba52c8

Download Submit
C:\Windows\SysWOW64\rserver30\devcon.exe
Filesize
79KB

MD5
0eef488df0e3b2ed497315d6ae2111c6

SHA1
dc5764dd42d60a772456fb231327cbfbdd4886e3

SHA256
8f584354d11cc729c0e113c940fce111e881f0fa6c506770759693a5cab7d918

SHA512
105c626d921379ec500e575aeb164ada4852935a54140f123e05c31c5ad707f19921fb842b1ae33f2a0a71b3b30b77312fae5ed24fdc9ccc4580a9952eba52c8

Download Submit
C:\Windows\SysWOW64\rserver30\install.cmd
Filesize
2KB

MD5
87075d5ac0ddd8a3db0db58a4a0c3abf

SHA1
aa58bfc73b77949b25965454ae98b442f30b4c39

SHA256
eb8c88a45741cb198990f6f4786065ffffc2ca6da5e27b8a637afbe9dfe8c309

SHA512
77f77f66daa72a7b01c1aede7905a00595cdb743b0d34884886113596409e7366ce1fb0a12aa45620903401358f742f5e4dca0d34f175f34fa74c1ae21eee08f

Download Submit
C:\Windows\SysWOW64\rserver30\mirrorv3.inf
Filesize
2KB

MD5
f5273aae90874a5ba71b05642dff86af

SHA1
f532d104c395600492d4bf21951cceea42fe9178

SHA256
ebee10f12b7fc2d102b8cd1c173afb7494d9f77b938caeafe0873c4dabf86e4d

SHA512
7d26877b9af860db40ab16da0886889ede8a751f9ff77dabac0365751da02db5212f0fd413ae0b4bcf960bc515551e28f3301fc12e61690783c0ee8a42f303d6

Download Submit
C:\Windows\SysWOW64\rserver30\r_sui.dll
Filesize
282KB

MD5
49273e99656306696623c2da320e27c8

SHA1
38918475c9db2a94482dd487b4dce3867dd6cfe1

SHA256
06862a9d19110b24ff91a17c4531072e57debb9ff48d8e488e7e2d13966844a0

SHA512
92737020f4e34a5effb4db8fb487fd74fab0776780e7b49afe7d67d1c1f9886f22fe7145656a58c3e0601a8cc8b8692a2bcd04fba45c5dcc9a3464c45e26868a

Download Submit
C:\Windows\SysWOW64\rserver30\rserver3.exe
Filesize
1.2MB

MD5
84d738020c550725635c591fe48c288a

SHA1
b3bab4eb84980d31f8eb1656f29635f6037a0797

SHA256
7fa9ca072ad5d07822934a8186fc9f05a16d30e38ad820603009c2ccd72e9cb6

SHA512
51ce3101923b29b67d59bcf81c67570ee70ffde3dfd206b160e4dd8b36ec58366d95ab304b9bdaf5e6a9bfe31aeb84c4200ed79efa2c17761187cac0e931c872

Download Submit
C:\Windows\SysWOW64\rserver30\rserver3.exe
Filesize
1.2MB

MD5
84d738020c550725635c591fe48c288a

SHA1
b3bab4eb84980d31f8eb1656f29635f6037a0797

SHA256
7fa9ca072ad5d07822934a8186fc9f05a16d30e38ad820603009c2ccd72e9cb6

SHA512
51ce3101923b29b67d59bcf81c67570ee70ffde3dfd206b160e4dd8b36ec58366d95ab304b9bdaf5e6a9bfe31aeb84c4200ed79efa2c17761187cac0e931c872

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
C:\Windows\SysWOW64\rserver30\tp.log
Filesize
2KB

MD5
326e387671c21ff2948e42b800678ca1

SHA1
c1b8266a420cc7b2a9c918ec58a524742a2d95f8

SHA256
f2a6fab34868b4ccde2eb026b6f915d024efbc1bea849aeebc9826c3ef6b356e

SHA512
dba14e443b2dc72b4b23bbd5e5581eb5f46ac70c552ff226e69d9d2276a1b5f7ae684539c6e72c56b0b14c77b1fc1ff60a3b5d5a9588f480499dfc686d88736a

Download Submit
C:\Windows\SysWOW64\rserver30\vcintcx.dll
Filesize
493KB

MD5
9714e310b41b2d59e7b6582e7ca95abd

SHA1
4b446651b9c338e3a8d1b1491714d98ded580b1e

SHA256
c792ba0c7f738bf47da789713849f3be1036381d71ac9f63d5f98ccbfdca0de3

SHA512
22d7a17d045d97c3f260062350604c3533f6ded52e05a8ef52c2e3fab524336ca2b6389663a77e94207405207103a97fbc55a380853823e8a9acc9b2171b2fbb

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\MIRROR~1.INF\mirrorv3.dll
Filesize
16KB

MD5
116bbd9926614070f4f01393d10eca08

SHA1
505ceba65e29daa4e091f7d4c497cf654344795d

SHA256
3cbe182b0828ef0e9533beecdad674f06dddc30b73a2c621e2460dadebd9b407

SHA512
ff426e88d850dd8da2f68109c7c69ce3da92287a307cfb7883c857c4f29ba8e7192b897c9851fca4943038eab0149fc259f2c997e4744fe40e32066437098e65

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\MIRROR~1.INF\rminiv3.sys
Filesize
5KB

MD5
090ee52afdff9932909c480bdda0c8ce

SHA1
ae787dbf6a539818bccd1df037cdfe50ad5d08c2

SHA256
91be40f2b4d9912979611e0545f6a1e9d8af81ac149a11f46180ef5015e58cdf

SHA512
9b36d5afb6023d9d6a83b7d95d63ee2cfaa86e79021fda8400131c0ea742fab5e485a1eb226397d1677145295c897da248610aeb1a13211aa67d5af839431ac3

Download Submit
C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_neutral_464860d34203ec0c\mirrorv3.PNF
Filesize
8KB

MD5
879f16abd25c3688e21e6c852bf77806

SHA1
ef7180b4f35d11cf27b48e3a5108b611cce7b371

SHA256
0c4ff2eb5621173ee99e2b11cdd15c04f6ca6a6b892fc0e444b41f54094df29a

SHA512
e247120fa88fe1495031a71d62f00a46479d23ce0e89e4180cbab34ddfbb887cdd2ee0dbb4280c9ae343945cb9a29d0b75695e6e4eaf865a78da899e83a378a3

Download Submit
C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_neutral_464860d34203ec0c\mirrorv3.cat
Filesize
10KB

MD5
73b8eb012919dace778b41145c6df3ad

SHA1
0253ebc34886237d5a5d469ec48eb48077842aa5

SHA256
26d93aeacad81c893000e86dfe7fbaf6e6972861656567e211ac9db6f065812d

SHA512
a460d473dd76ecae59b29569f3eb4f81ac60aada07a7a609006969fc63236a3625570e54b6bf73adf403190cef0256746a1256850d28364a9067752ba7258653

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1
Filesize
1.4MB

MD5
e1f9fd54c70d72cc99b83d1db233213e

SHA1
4ac4f904e7897cfd83a4b2909320661b6bea9cfc

SHA256
feff0a840517534f1e17f96b2789610db8b8f0a7aa1d6ff225e981ed5b06a143

SHA512
4c33334734b6ce567ad058af4b1c8fc77ce5732834ea03c2af5c3e8a3d870d5caeee15d97fd52baf49e8d0045d2e79e73fef7921dca3fbfb91541bb9f6a37fe4

Download Submit
\??\c:\windows\syswow64\RSERVE~1\mirrorv3.dll
Filesize
16KB

MD5
116bbd9926614070f4f01393d10eca08

SHA1
505ceba65e29daa4e091f7d4c497cf654344795d

SHA256
3cbe182b0828ef0e9533beecdad674f06dddc30b73a2c621e2460dadebd9b407

SHA512
ff426e88d850dd8da2f68109c7c69ce3da92287a307cfb7883c857c4f29ba8e7192b897c9851fca4943038eab0149fc259f2c997e4744fe40e32066437098e65

Download Submit
\??\c:\windows\syswow64\RSERVE~1\rminiv3.sys
Filesize
5KB

MD5
090ee52afdff9932909c480bdda0c8ce

SHA1
ae787dbf6a539818bccd1df037cdfe50ad5d08c2

SHA256
91be40f2b4d9912979611e0545f6a1e9d8af81ac149a11f46180ef5015e58cdf

SHA512
9b36d5afb6023d9d6a83b7d95d63ee2cfaa86e79021fda8400131c0ea742fab5e485a1eb226397d1677145295c897da248610aeb1a13211aa67d5af839431ac3

Download Submit
\??\c:\windows\syswow64\rserver30\mirrorv3.cat
Filesize
10KB

MD5
73b8eb012919dace778b41145c6df3ad

SHA1
0253ebc34886237d5a5d469ec48eb48077842aa5

SHA256
26d93aeacad81c893000e86dfe7fbaf6e6972861656567e211ac9db6f065812d

SHA512
a460d473dd76ecae59b29569f3eb4f81ac60aada07a7a609006969fc63236a3625570e54b6bf73adf403190cef0256746a1256850d28364a9067752ba7258653

Download Submit
\Windows\SysWOW64\rserver30\ChatLPCx.dll
Filesize
369KB

MD5
18a6aeaf036d4fe4ea3c798a4f848f1d

SHA1
5e07b13622dcba361201965f5f043c101217a5c8

SHA256
5d393d82670070c9b3be2cdae8c7de654ef3439edc30dc60b1882a7003706a91

SHA512
1ff784a32d6c8f72e206f11196010cd958129651d91d0cdc1fb6b177ebd4f3906bcb072fa1e802bd5b8ff5ee9cb701a1c6f80b7c26b501f945d1d94009cbe7a1

Download Submit
\Windows\SysWOW64\rserver30\FamItrfc.Exe
Filesize
157KB

MD5
797338bb6bc3bf803cd55fbf086dcd0d

SHA1
7330c4e446f085c13561130aafc281059eabccc2

SHA256
86ecbd5086d71b528385653f0d9ced4bfd50dfcc9201d228ea114d742964823c

SHA512
643a47bca9d9398b2a8aff1a11a0468a77a98409bdb70cb74392400b964292eabd0af89a0272779e89328e12d666e0edbc401c0346e7c1f901a2823e216b8470

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\ds.dll
Filesize
64KB

MD5
0e6348217952742e467e254f2ec751ce

SHA1
58c2e9381cce0e3990609db0965c2fc69d258536

SHA256
655132cce75d019a01fda98e8b51b226bfbe9cf2a9e9d685678349c21f3e9a23

SHA512
e6b8f584d132115fd748036dd7a6c6ce31fad8613ba7a666055e34796ec068919c7934776fa18797c90005e2662ac26e6a8a6b8f4fecb9f89842533e829672a5

Download Submit
\Windows\SysWOW64\rserver30\Update\getinfo.dll
Filesize
8KB

MD5
68f3bcbc39ec621dce9b5298e46fd691

SHA1
c22531dfafce37601e7b02cec8ddd0a1c1a0cdfc

SHA256
b99d42796d4d00465ec8859c612c69ee7d0f3d4adefe626833855f5943a1befd

SHA512
63a573258aa4ddee5e59121f36e848bbbd29b857d0456bc46f0bb32e7760ef4be8c6ca8e597a27a4003231a8b9f61ad41ac29ad4038c6f536ee184bd751bf4b5

Download Submit
\Windows\SysWOW64\rserver30\WinLpcDl.dll
Filesize
224KB

MD5
d3eafd4f8cda4050cc67db87de177c70

SHA1
09813c43f2fbfa55652c3586317e37def0bcb446

SHA256
6418c051f21e3bfdb196a8d31873fd3ece490a100ac447f90e87c1c3a2a57cb1

SHA512
5ae3f0a757c829a96b37b79c491f8e53e8d9cc513c1700780e949d653b3a0e87517bbc91ef288ea3ba9ca6a4cac0b2c1e4f5bb6e462af31062c944fc930fda87

Download Submit
\Windows\SysWOW64\rserver30\WinLpcDl.dll
Filesize
224KB

MD5
d3eafd4f8cda4050cc67db87de177c70

SHA1
09813c43f2fbfa55652c3586317e37def0bcb446

SHA256
6418c051f21e3bfdb196a8d31873fd3ece490a100ac447f90e87c1c3a2a57cb1

SHA512
5ae3f0a757c829a96b37b79c491f8e53e8d9cc513c1700780e949d653b3a0e87517bbc91ef288ea3ba9ca6a4cac0b2c1e4f5bb6e462af31062c944fc930fda87

Download Submit
\Windows\SysWOW64\rserver30\WinLpcDl.dll
Filesize
224KB

MD5
d3eafd4f8cda4050cc67db87de177c70

SHA1
09813c43f2fbfa55652c3586317e37def0bcb446

SHA256
6418c051f21e3bfdb196a8d31873fd3ece490a100ac447f90e87c1c3a2a57cb1

SHA512
5ae3f0a757c829a96b37b79c491f8e53e8d9cc513c1700780e949d653b3a0e87517bbc91ef288ea3ba9ca6a4cac0b2c1e4f5bb6e462af31062c944fc930fda87

Download Submit
\Windows\SysWOW64\rserver30\devcon.exe
Filesize
79KB

MD5
0eef488df0e3b2ed497315d6ae2111c6

SHA1
dc5764dd42d60a772456fb231327cbfbdd4886e3

SHA256
8f584354d11cc729c0e113c940fce111e881f0fa6c506770759693a5cab7d918

SHA512
105c626d921379ec500e575aeb164ada4852935a54140f123e05c31c5ad707f19921fb842b1ae33f2a0a71b3b30b77312fae5ed24fdc9ccc4580a9952eba52c8

Download Submit
\Windows\SysWOW64\rserver30\devcon.exe
Filesize
79KB

MD5
0eef488df0e3b2ed497315d6ae2111c6

SHA1
dc5764dd42d60a772456fb231327cbfbdd4886e3

SHA256
8f584354d11cc729c0e113c940fce111e881f0fa6c506770759693a5cab7d918

SHA512
105c626d921379ec500e575aeb164ada4852935a54140f123e05c31c5ad707f19921fb842b1ae33f2a0a71b3b30b77312fae5ed24fdc9ccc4580a9952eba52c8

Download Submit
\Windows\SysWOW64\rserver30\devcon.exe
Filesize
79KB

MD5
0eef488df0e3b2ed497315d6ae2111c6

SHA1
dc5764dd42d60a772456fb231327cbfbdd4886e3

SHA256
8f584354d11cc729c0e113c940fce111e881f0fa6c506770759693a5cab7d918

SHA512
105c626d921379ec500e575aeb164ada4852935a54140f123e05c31c5ad707f19921fb842b1ae33f2a0a71b3b30b77312fae5ed24fdc9ccc4580a9952eba52c8

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\sc.exe
Filesize
30KB

MD5
4563a5dc09a73778c6ab774374de8032

SHA1
3b4182531777c1a0a0c781cd254bec55e3dbe2fd

SHA256
3bb28142a9e216e711e044cacba9e34b762e265bc0616c105b8c193d1bfab89c

SHA512
f0ca9d88ab97a2737b1ab8d03611efd1fa8d28a48abd05c670de42fd2e0eabe2d40b23dce043816df3d2fa2a215df05491b7fcd43785fe5839670260f2e8c670

Download Submit
\Windows\SysWOW64\rserver30\vcintcx.dll
Filesize
493KB

MD5
9714e310b41b2d59e7b6582e7ca95abd

SHA1
4b446651b9c338e3a8d1b1491714d98ded580b1e

SHA256
c792ba0c7f738bf47da789713849f3be1036381d71ac9f63d5f98ccbfdca0de3

SHA512
22d7a17d045d97c3f260062350604c3533f6ded52e05a8ef52c2e3fab524336ca2b6389663a77e94207405207103a97fbc55a380853823e8a9acc9b2171b2fbb

Download Submit
\Windows\SysWOW64\rserver30\wsock32.dll
Filesize
73KB

MD5
550bbb5693887738e28955cea4497308

SHA1
b1e9a54702dd55283706e13487fa23da772c10bb

SHA256
6e832819a858afd9319f2cd975a99183505bab00f7cea0492b943c2ebb66c95b

SHA512
efd56fd2490c559413e17546e1c6ca14a30005031b87c330ebcf6122a31eea3ae2952e57479967ff92448eb490cbf1f0695873b6251e859cebad5aded5a400d8

Download Submit
\Windows\SysWOW64\rserver30\wsock32.dll
Filesize
73KB

MD5
550bbb5693887738e28955cea4497308

SHA1
b1e9a54702dd55283706e13487fa23da772c10bb

SHA256
6e832819a858afd9319f2cd975a99183505bab00f7cea0492b943c2ebb66c95b

SHA512
efd56fd2490c559413e17546e1c6ca14a30005031b87c330ebcf6122a31eea3ae2952e57479967ff92448eb490cbf1f0695873b6251e859cebad5aded5a400d8

Download Submit
\Windows\SysWOW64\rserver30\wsock32.dll
Filesize
73KB

MD5
550bbb5693887738e28955cea4497308

SHA1
b1e9a54702dd55283706e13487fa23da772c10bb

SHA256
6e832819a858afd9319f2cd975a99183505bab00f7cea0492b943c2ebb66c95b

SHA512
efd56fd2490c559413e17546e1c6ca14a30005031b87c330ebcf6122a31eea3ae2952e57479967ff92448eb490cbf1f0695873b6251e859cebad5aded5a400d8

Download Submit
memory/268-78-0x0000000000000000-mapping.dmp

Download
memory/320-119-0x0000000000000000-mapping.dmp

Download
memory/388-115-0x0000000000000000-mapping.dmp

Download
memory/588-76-0x0000000000000000-mapping.dmp

Download
memory/596-120-0x0000000000000000-mapping.dmp

Download
memory/868-109-0x0000000000000000-mapping.dmp

Download
memory/960-106-0x0000000000000000-mapping.dmp

Download
memory/988-165-0x0000000000000000-mapping.dmp

Download
memory/1172-164-0x0000000000000000-mapping.dmp

Download
memory/1208-67-0x0000000000000000-mapping.dmp

Download
memory/1272-66-0x0000000000000000-mapping.dmp

Download
memory/1304-64-0x0000000000000000-mapping.dmp

Download
memory/1480-159-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1480-160-0x0000000060000000-0x0000000060078000-memory.dmp

Filesize
480KB

Download
memory/1480-140-0x0000000000000000-mapping.dmp

Download
memory/1480-143-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/1532-112-0x0000000000000000-mapping.dmp

Download
memory/1564-168-0x00000000006B0000-0x00000000006D8000-memory.dmp

Filesize
160KB

Download
memory/1564-166-0x0000000000000000-mapping.dmp

Download
memory/1636-86-0x0000000000000000-mapping.dmp

Download
memory/1728-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1728-170-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1728-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1728-79-0x00000000025A0000-0x00000000025AB000-memory.dmp

Filesize
44KB

Download
memory/1728-80-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1728-81-0x00000000025A0000-0x00000000025AB000-memory.dmp

Filesize
44KB

Download
memory/1760-117-0x0000000000000000-mapping.dmp

Download
memory/1768-147-0x0000000000000000-mapping.dmp

Download
memory/1768-162-0x0000000060000000-0x0000000060078000-memory.dmp

Filesize
480KB

Download
memory/1768-163-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/1768-161-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1772-73-0x0000000000000000-mapping.dmp

Download
memory/1780-89-0x0000000000000000-mapping.dmp

Download
memory/1912-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1912-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1912-127-0x0000000001400000-0x0000000001733000-memory.dmp

Filesize
3.2MB

Download
memory/1912-135-0x0000000001400000-0x0000000001733000-memory.dmp

Filesize
3.2MB

Download
memory/1912-137-0x0000000060000000-0x0000000060078000-memory.dmp

Filesize
480KB

Download
memory/1912-171-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1932-74-0x0000000000000000-mapping.dmp

Download
memory/2000-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads