Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10PCRemoteRe...16.exe
windows7-x64
4PCRemoteRe...16.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3MonectMediaCenter.exe
windows7-x64
10MonectMediaCenter.exe
windows10-2004-x64
10MonectRunt...ck.exe
windows7-x64
5MonectRunt...ck.exe
windows10-2004-x64
8MonectServer.exe
windows7-x64
1MonectServer.exe
windows10-2004-x64
1MonectServ...ce.exe
windows7-x64
1MonectServ...ce.exe
windows10-2004-x64
1PCRemoteReceiver.exe
windows7-x64
10PCRemoteReceiver.exe
windows10-2004-x64
10Packages/v...64.exe
windows7-x64
7Packages/v...64.exe
windows10-2004-x64
7QRCodeEncoder.dll
windows7-x64
1QRCodeEncoder.dll
windows10-2004-x64
1SDL2.dll
windows7-x64
1SDL2.dll
windows10-2004-x64
1SDL2_image.dll
windows7-x64
1SDL2_image.dll
windows10-2004-x64
1TouchInput.dll
windows7-x64
1TouchInput.dll
windows10-2004-x64
1avcodec-59.dll
windows7-x64
10avcodec-59.dll
windows10-2004-x64
10avformat-59.dll
windows7-x64
10avformat-59.dll
windows10-2004-x64
10Analysis
-
max time kernel
141s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-es -
resource tags
arch:x64arch:x86image:win10v2004-20240419-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
04/05/2024, 14:48
Behavioral task
behavioral1
Sample
PCRemoteReceiverSetup_7_5_16.exe
Resource
win7-20240221-es
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
PCRemoteReceiverSetup_7_5_16.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240215-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-es
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20231129-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
MonectMediaCenter.exe
Resource
win7-20231129-es
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral10
Sample
MonectMediaCenter.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
MonectRuntimeCheck.exe
Resource
win7-20240221-es
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral12
Sample
MonectRuntimeCheck.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral13
Sample
MonectServer.exe
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
MonectServer.exe
Resource
win10v2004-20240226-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
MonectServerService.exe
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
MonectServerService.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
PCRemoteReceiver.exe
Resource
win7-20240215-es
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral18
Sample
PCRemoteReceiver.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral19
Sample
Packages/vc_redist.x64.exe
Resource
win7-20240220-es
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral20
Sample
Packages/vc_redist.x64.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral21
Sample
QRCodeEncoder.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral22
Sample
QRCodeEncoder.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral23
Sample
SDL2.dll
Resource
win7-20231129-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral24
Sample
SDL2.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral25
Sample
SDL2_image.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral26
Sample
SDL2_image.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral27
Sample
TouchInput.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral28
Sample
TouchInput.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral29
Sample
avcodec-59.dll
Resource
win7-20240215-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral30
Sample
avcodec-59.dll
Resource
win10v2004-20240426-es
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral31
Sample
avformat-59.dll
Resource
win7-20240221-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral32
Sample
avformat-59.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
MonectRuntimeCheck.exe
-
Size
121KB
-
MD5
855868707c8daba66438545fba07b490
-
SHA1
cb28feed2dc91fbb47dd3da4527ac7fb00a04f25
-
SHA256
7a3846a11ebe48d769c2983931fad9c71a924b2f0d892a478aeff528e108883e
-
SHA512
df3cd7a00eb562412b204cbb8e06cb31917b665f01cb9f521a8ba66ede8440b208f705da17159048e34327ca00d0c1b926bd1a78c0543c272203cb749c55dca3
-
SSDEEP
768:kLnW4UkQyOM9aV1+qXUpv9Sbh9SbPvNnr2u+vTS+ST6nkM:k7hUFyOyaV1+f9C4vNrxk/me
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\vjoy.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET4C7B.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET4C7B.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET4C7A.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET4C7A.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET51E9.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\hidkmdf.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET51E9.tmp DrvInst.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 api.ipify.org 11 api.ipify.org -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1968 netsh.exe 1272 netsh.exe 912 netsh.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49BB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF driververifyx64.exe File created C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49CC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\vjoy.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vJoy.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF driververifyx64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\WdfCoInstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64\SET4E2F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\vigembus.inf DrvInst.exe File created C:\Windows\System32\SET51F9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\vigembus.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\x64\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\vigembus.PNF driververifyx64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\vjoy.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET4A0D.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64\SET4E40.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\SET4E41.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64\SET4E2F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\SET4E42.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49BB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\SET4E41.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\x64\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\hidkmdf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49FC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET4A0D.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.PNF driververifyx64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\x64\SET4E40.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d}\SET4E42.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fa702f1c-aac6-434b-abfc-197e16fddc1d} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\hidkmdf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.sys DrvInst.exe File opened for modification C:\Windows\System32\SET51F9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\vJoy.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89} DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49CB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49FC.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\WdfCoInstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49CB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8cd2fd13-c14c-f84e-8c76-231e5b90be89}\SET49CC.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\WdfCoInstaller01009.dll DrvInst.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log driververifyx64.exe File opened for modification C:\Windows\INF\setupapi.dev.log driververifyx64.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 driververifyx64.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeAuditPrivilege 3860 svchost.exe Token: SeSecurityPrivilege 3860 svchost.exe Token: SeLoadDriverPrivilege 4288 driververifyx64.exe Token: SeRestorePrivilege 4816 DrvInst.exe Token: SeBackupPrivilege 4816 DrvInst.exe Token: SeRestorePrivilege 4816 DrvInst.exe Token: SeBackupPrivilege 4816 DrvInst.exe Token: SeLoadDriverPrivilege 4816 DrvInst.exe Token: SeLoadDriverPrivilege 4816 DrvInst.exe Token: SeLoadDriverPrivilege 4816 DrvInst.exe Token: 33 1776 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1776 AUDIODG.EXE Token: SeLoadDriverPrivilege 4288 driververifyx64.exe Token: SeRestorePrivilege 3804 DrvInst.exe Token: SeBackupPrivilege 3804 DrvInst.exe Token: SeRestorePrivilege 3804 DrvInst.exe Token: SeBackupPrivilege 3804 DrvInst.exe Token: SeLoadDriverPrivilege 3804 DrvInst.exe Token: SeLoadDriverPrivilege 3804 DrvInst.exe Token: SeLoadDriverPrivilege 3804 DrvInst.exe Token: SeLoadDriverPrivilege 4196 driververifyx64.exe Token: SeLoadDriverPrivilege 4196 driververifyx64.exe Token: SeLoadDriverPrivilege 4196 driververifyx64.exe Token: SeLoadDriverPrivilege 4196 driververifyx64.exe Token: SeLoadDriverPrivilege 4196 driververifyx64.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2400 wrote to memory of 4288 2400 MonectRuntimeCheck.exe 85 PID 2400 wrote to memory of 4288 2400 MonectRuntimeCheck.exe 85 PID 3860 wrote to memory of 3988 3860 svchost.exe 88 PID 3860 wrote to memory of 3988 3860 svchost.exe 88 PID 3860 wrote to memory of 4816 3860 svchost.exe 89 PID 3860 wrote to memory of 4816 3860 svchost.exe 89 PID 3860 wrote to memory of 1736 3860 svchost.exe 92 PID 3860 wrote to memory of 1736 3860 svchost.exe 92 PID 3860 wrote to memory of 3804 3860 svchost.exe 94 PID 3860 wrote to memory of 3804 3860 svchost.exe 94 PID 2400 wrote to memory of 1968 2400 MonectRuntimeCheck.exe 96 PID 2400 wrote to memory of 1968 2400 MonectRuntimeCheck.exe 96 PID 4464 wrote to memory of 4196 4464 MonectServerService.exe 98 PID 4464 wrote to memory of 4196 4464 MonectServerService.exe 98 PID 4464 wrote to memory of 2320 4464 MonectServerService.exe 101 PID 4464 wrote to memory of 2320 4464 MonectServerService.exe 101 PID 2400 wrote to memory of 1272 2400 MonectRuntimeCheck.exe 103 PID 2400 wrote to memory of 1272 2400 MonectRuntimeCheck.exe 103 PID 2400 wrote to memory of 912 2400 MonectRuntimeCheck.exe 111 PID 2400 wrote to memory of 912 2400 MonectRuntimeCheck.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\MonectRuntimeCheck.exe"C:\Users\Admin\AppData\Local\Temp\MonectRuntimeCheck.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe"C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\System32\netsh.exeadvfirewall firewall add rule name="MonectServerService" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\MonectServerService.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:1968
-
-
C:\Windows\System32\netsh.exeadvfirewall firewall add rule name="PCRemoteReceiver" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\PCRemoteReceiver.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:1272
-
-
C:\Windows\System32\netsh.exeadvfirewall firewall add rule name="MonectMediaCenter" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\MonectMediaCenter.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:912
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1e34059f-ac64-c340-b79a-81fe00628a98}\vjoy.inf" "9" "49e52482b" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\local\temp\driver\vjoy"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3988
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:b2fe4818a00a2e82:vjoy.Inst.Win7:12.53.21.621:root\vid_1234&pid_bead&rev_0219," "49e52482b" "000000000000014C"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d45dc6c6-e4ab-b042-8a95-ba20246fbe80}\vigembus.inf" "9" "429a86e87" "0000000000000168" "WinSta0\Default" "0000000000000138" "208" "c:\users\admin\appdata\local\temp\driver\vigem"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1736
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c14ce88408607219:ViGEmBus_Device:1.16.112.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000168"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x45c 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
C:\Users\Admin\AppData\Local\Temp\MonectServerService.exeC:\Users\Admin\AppData\Local\Temp\MonectServerService.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe-disable2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\MonectServer.exe"C:\Users\Admin\AppData\Local\Temp\MonectServer.exe"2⤵PID:2320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD55cb42a31e35004ad81e5e89092adf3bc
SHA1afdd47f3a2ec58f15abb2626e1233f5e356e8908
SHA25644812fe5fe3b848d7d592278382c7c0370eba3115a9bd7f8db22efb89d1ed2b3
SHA512328b35bb2b4963abc01602e2f0a78bf540c12e055bea3990d346e06edf53b5682c3387b6f86fbcf8552e2714c9d3ae6db28ca2a37a2bceb9db7e97076e932c1e
-
Filesize
11KB
MD5fb06e77f7c7bc0902d416c079c32d6a3
SHA1b75aee99d492d84e83cc5ddba4791b8d2a570e7a
SHA256784ea14d897c88be331d5c129d254a3a09add3d47066ad2879adecef3f00c97d
SHA5121d0299593a0ce9ec23784b52602475ddea6e1b86dd3a02173061fdd9b724627265a3d6f8f08fd955615b972e9887111158fb86125c0dfde3659b4854294b66cb
-
Filesize
65KB
MD5cc63b7e91816e5001fe79a840916f1c9
SHA163ff46f8b85bc29e298ef2ac7a434ff2df49918e
SHA256297f9c12df8bd91640439c0bf7fe1ee391bbd01d330f5e1604a29c4669977774
SHA51258fdcec81b6cff4e0d3a44ca93cfe1d86d8849afd0dd31af3a0d6e94483b5492a0f4729b3a0996084b56d4f5584166c4902abe195784ac7c2584489d699f0e48
-
Filesize
10KB
MD5731f3d80f2296e3e13f4335885fa2556
SHA127e8a4a8eb907b1b1c8b720ef02a45bf9b1c6124
SHA25633fe32886a8bf72769c3e4991265546c3d1cca9247dbb661f23f7f82362226a4
SHA512b154c375f49934c1858646e9e750fcb7b06d6c453f61d283bb5ee5d2fe509f887d796d722d8fb7084734ee178549a33a85b23d012dc9bcd5c74136700dc4ceb4
-
Filesize
67KB
MD5129165f67ccbb25be6be8ae2f0c15dda
SHA1499865e046dc1d70edbf2a31ef06c03b6c6ea855
SHA2561a1e57cb0dd7ca08d96bbb1b6ce667e3273702c13a7ecf86839b7642ef8255e0
SHA5124666cf73ef77b0e7b86822fdc18743d41496c46686a91535ed7757dbdb8e0354489383aa4a27ab943e26360e8e1c8aed5600724034e0e6c38163faea24344ca2
-
Filesize
2KB
MD5c75c1a401eba37e59c4477b22f8ced9b
SHA15e845664f66e4d005fa2b041db4c9f6bf0d564a9
SHA25663774d6149f036c0d9faf98b062fea6b97debed559a9522099e46b54fe58da40
SHA5121a12908961361eeea00b98174434e931f5d575a9cf72858a21536c2900c7c55107b5d34952cc149119572d3ea93e3c7d2fca018dd3535660dfb008c82eff8bb2
-
Filesize
37KB
MD586cbfd0dc01f55e339e3ea03ee7c8d4f
SHA1811e9442a3fa364d74fed315db2ea9a47076dd4a
SHA25603d33867407fc586002a720d35b4b2370842022fbdd09bd12e135d028b627b7a
SHA5120beada07e5ef386cad16762f8e6b511eb360da8cb56374bf5c3be899214f6f2b1278fc24318af3f64b44ac74dbaeec257ba9f9f91bb394f7c078ef153f968065
-
Filesize
26KB
MD5bffc21f44b02fbdd4a09c445db87ec59
SHA1f7ca5a2d0b2eb9ecaf75cbfcc73eeb65889490c8
SHA2568668f69c256baff9422ac9b3ab77448c21b5043547920591148b152cb3afb0d2
SHA51287ee090ed4581650a491df30e26da5420ae4d6a83d178ae9e0b0ca419e367a5f31424df407d0fab55a78f2300a712c66c62ef15425e44ae5bd8100f790fbda78
-
Filesize
9KB
MD5e67c26e6c46015f05da50046aacf8581
SHA132dfcee6d080e1b0c8012f8a6198f1e7d2afa3a0
SHA2565b03a642a52d5ee895931c8fad98b2a67f20331c313aec42aa96d76c9c3ff928
SHA512dd197b897c71f11abb9eefbad70691ed0b2b2ad0636616276d08d2c2a002b99e1ff7c5c47a54df94967f9a9f8c977fafba247f6aecfaa917dfb7efdb2d983493
-
Filesize
1.7MB
MD5f279d3e406114192148dd976de222138
SHA10567e9073c46c40e60e2ecd0a509579f029efd8e
SHA2561a7627c11aecf24e8e0c9a519498e8456f0457bd89f0ffe649bd8fb53a194f89
SHA512e72d1011bd3c4208c3733228aac45a6ae00c3979ffb49130d4141293764db1b91551edf9340b5cc5c987b848e3ffc661b8084923c2032b175fcf55321f42dc25