Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10PCRemoteRe...16.exe
windows7-x64
4PCRemoteRe...16.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3MonectMediaCenter.exe
windows7-x64
10MonectMediaCenter.exe
windows10-2004-x64
10MonectRunt...ck.exe
windows7-x64
5MonectRunt...ck.exe
windows10-2004-x64
8MonectServer.exe
windows7-x64
1MonectServer.exe
windows10-2004-x64
1MonectServ...ce.exe
windows7-x64
1MonectServ...ce.exe
windows10-2004-x64
1PCRemoteReceiver.exe
windows7-x64
10PCRemoteReceiver.exe
windows10-2004-x64
10Packages/v...64.exe
windows7-x64
7Packages/v...64.exe
windows10-2004-x64
7QRCodeEncoder.dll
windows7-x64
1QRCodeEncoder.dll
windows10-2004-x64
1SDL2.dll
windows7-x64
1SDL2.dll
windows10-2004-x64
1SDL2_image.dll
windows7-x64
1SDL2_image.dll
windows10-2004-x64
1TouchInput.dll
windows7-x64
1TouchInput.dll
windows10-2004-x64
1avcodec-59.dll
windows7-x64
10avcodec-59.dll
windows10-2004-x64
10avformat-59.dll
windows7-x64
10avformat-59.dll
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-es -
resource tags
arch:x64arch:x86image:win10v2004-20240419-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
04/05/2024, 14:48
Behavioral task
behavioral1
Sample
PCRemoteReceiverSetup_7_5_16.exe
Resource
win7-20240221-es
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
PCRemoteReceiverSetup_7_5_16.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240215-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-es
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20231129-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
MonectMediaCenter.exe
Resource
win7-20231129-es
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral10
Sample
MonectMediaCenter.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
MonectRuntimeCheck.exe
Resource
win7-20240221-es
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral12
Sample
MonectRuntimeCheck.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral13
Sample
MonectServer.exe
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
MonectServer.exe
Resource
win10v2004-20240226-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
MonectServerService.exe
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
MonectServerService.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
PCRemoteReceiver.exe
Resource
win7-20240215-es
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral18
Sample
PCRemoteReceiver.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral19
Sample
Packages/vc_redist.x64.exe
Resource
win7-20240220-es
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral20
Sample
Packages/vc_redist.x64.exe
Resource
win10v2004-20240419-es
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral21
Sample
QRCodeEncoder.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral22
Sample
QRCodeEncoder.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral23
Sample
SDL2.dll
Resource
win7-20231129-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral24
Sample
SDL2.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral25
Sample
SDL2_image.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral26
Sample
SDL2_image.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral27
Sample
TouchInput.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral28
Sample
TouchInput.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral29
Sample
avcodec-59.dll
Resource
win7-20240215-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral30
Sample
avcodec-59.dll
Resource
win10v2004-20240426-es
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral31
Sample
avformat-59.dll
Resource
win7-20240221-es
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral32
Sample
avformat-59.dll
Resource
win10v2004-20240419-es
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
PCRemoteReceiver.exe
-
Size
7.2MB
-
MD5
1f131b830b107f7ff0e12be96cac1eb1
-
SHA1
1abb094ccb683d7e5ab18c1fe3bc37ad777accba
-
SHA256
22720868281ba4a699ebe9e34a94865bfb40207b386672d0afa4e4daba94bc0d
-
SHA512
c4df0294a1b25f96de69bf228f6b8612a9ab6f048110de441f83ef088296cb7106cc1dd125b32f4784395f99f579a4090c35a6db801d8ee442e57344858142eb
-
SSDEEP
98304:n+iVLTjmGW8YRlXXe4nazbKBZ1P9BAvzycT6BKig+Z6elPq:nhzmGQRlXX5azWH1qKgig+Aepq
Score
10/10
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SET595B.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\vjoy.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET595C.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET595C.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\ViGEmBus.sys DrvInst.exe File created C:\Windows\System32\drivers\SET595B.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\hidkmdf.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET5B8D.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET5B8D.tmp DrvInst.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.ipify.org 18 api.ipify.org -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4620 netsh.exe 2612 netsh.exe 1812 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation PCRemoteReceiver.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64\WdfCoInstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\vigembus.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\SET5B9E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\vjoy.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET55A3.tmp DrvInst.exe File opened for modification C:\Windows\System32\SET5B9E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5582.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5601.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\x64\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5601.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vJoy.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5582.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\SET5AB5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5613.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF driververifyx64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\SET5AB5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5602.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.PNF driververifyx64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\vjoy.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5613.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET5602.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF driververifyx64.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\x64\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\vJoy.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64\SET5AA3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\SET5AB6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\hidkmdf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64\SET5AB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64\SET5AA3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\x64\SET5AB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1b35a4e4-c5d0-584a-9002-2d0e3b4de481}\SET55A3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\hidkmdf.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\SET5AB6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ce672516-aa4b-4c40-a4e2-7d382620c884}\vigembus.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\ViGEmBus.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\vigembus.PNF driververifyx64.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log driververifyx64.exe File opened for modification C:\Windows\INF\setupapi.dev.log driververifyx64.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID driververifyx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 driververifyx64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft MonectServerService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeAuditPrivilege 2576 svchost.exe Token: SeSecurityPrivilege 2576 svchost.exe Token: SeLoadDriverPrivilege 3256 driververifyx64.exe Token: SeRestorePrivilege 3896 DrvInst.exe Token: SeBackupPrivilege 3896 DrvInst.exe Token: SeRestorePrivilege 3896 DrvInst.exe Token: SeBackupPrivilege 3896 DrvInst.exe Token: SeLoadDriverPrivilege 3896 DrvInst.exe Token: SeLoadDriverPrivilege 3896 DrvInst.exe Token: SeLoadDriverPrivilege 3896 DrvInst.exe Token: 33 3252 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3252 AUDIODG.EXE Token: SeLoadDriverPrivilege 3256 driververifyx64.exe Token: SeRestorePrivilege 4384 DrvInst.exe Token: SeBackupPrivilege 4384 DrvInst.exe Token: SeRestorePrivilege 4384 DrvInst.exe Token: SeBackupPrivilege 4384 DrvInst.exe Token: SeLoadDriverPrivilege 4384 DrvInst.exe Token: SeLoadDriverPrivilege 4384 DrvInst.exe Token: SeLoadDriverPrivilege 4384 DrvInst.exe Token: SeLoadDriverPrivilege 4264 driververifyx64.exe Token: SeLoadDriverPrivilege 4264 driververifyx64.exe Token: SeLoadDriverPrivilege 4264 driververifyx64.exe Token: SeLoadDriverPrivilege 4264 driververifyx64.exe Token: SeLoadDriverPrivilege 4264 driververifyx64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 920 PCRemoteReceiver.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 920 PCRemoteReceiver.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 920 PCRemoteReceiver.exe 920 PCRemoteReceiver.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 920 wrote to memory of 536 920 PCRemoteReceiver.exe 86 PID 920 wrote to memory of 536 920 PCRemoteReceiver.exe 86 PID 536 wrote to memory of 3256 536 MonectRuntimeCheck.exe 88 PID 536 wrote to memory of 3256 536 MonectRuntimeCheck.exe 88 PID 2576 wrote to memory of 2656 2576 svchost.exe 91 PID 2576 wrote to memory of 2656 2576 svchost.exe 91 PID 2576 wrote to memory of 3896 2576 svchost.exe 92 PID 2576 wrote to memory of 3896 2576 svchost.exe 92 PID 2576 wrote to memory of 2272 2576 svchost.exe 95 PID 2576 wrote to memory of 2272 2576 svchost.exe 95 PID 2576 wrote to memory of 4384 2576 svchost.exe 96 PID 2576 wrote to memory of 4384 2576 svchost.exe 96 PID 536 wrote to memory of 4620 536 MonectRuntimeCheck.exe 98 PID 536 wrote to memory of 4620 536 MonectRuntimeCheck.exe 98 PID 2140 wrote to memory of 4264 2140 MonectServerService.exe 100 PID 2140 wrote to memory of 4264 2140 MonectServerService.exe 100 PID 2140 wrote to memory of 3612 2140 MonectServerService.exe 103 PID 2140 wrote to memory of 3612 2140 MonectServerService.exe 103 PID 536 wrote to memory of 2612 536 MonectRuntimeCheck.exe 109 PID 536 wrote to memory of 2612 536 MonectRuntimeCheck.exe 109 PID 536 wrote to memory of 1812 536 MonectRuntimeCheck.exe 113 PID 536 wrote to memory of 1812 536 MonectRuntimeCheck.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\PCRemoteReceiver.exe"C:\Users\Admin\AppData\Local\Temp\PCRemoteReceiver.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\MonectRuntimeCheck.exe"C:\Users\Admin\AppData\Local\Temp\MonectRuntimeCheck.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe"C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe"3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
-
C:\Windows\System32\netsh.exeadvfirewall firewall add rule name="MonectServerService" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\MonectServerService.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:4620
-
-
C:\Windows\System32\netsh.exeadvfirewall firewall add rule name="PCRemoteReceiver" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\PCRemoteReceiver.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2612
-
-
C:\Windows\System32\netsh.exeadvfirewall firewall add rule name="MonectMediaCenter" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\MonectMediaCenter.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:1812
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{880b5c6a-9611-b844-96b7-2e60c137351a}\vjoy.inf" "9" "49e52482b" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\local\temp\driver\vjoy"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2656
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:b2fe4818a00a2e82:vjoy.Inst.Win7:12.53.21.621:root\vid_1234&pid_bead&rev_0219," "49e52482b" "0000000000000138"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9b85e0e0-f58d-c44c-bc6f-65708288f8b5}\vigembus.inf" "9" "429a86e87" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\users\admin\appdata\local\temp\driver\vigem"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2272
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c14ce88408607219:ViGEmBus_Device:1.16.112.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000168"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x410 0x2fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
C:\Users\Admin\AppData\Local\Temp\MonectServerService.exeC:\Users\Admin\AppData\Local\Temp\MonectServerService.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe-disable2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\MonectServer.exe"C:\Users\Admin\AppData\Local\Temp\MonectServer.exe"2⤵PID:3612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD55cb42a31e35004ad81e5e89092adf3bc
SHA1afdd47f3a2ec58f15abb2626e1233f5e356e8908
SHA25644812fe5fe3b848d7d592278382c7c0370eba3115a9bd7f8db22efb89d1ed2b3
SHA512328b35bb2b4963abc01602e2f0a78bf540c12e055bea3990d346e06edf53b5682c3387b6f86fbcf8552e2714c9d3ae6db28ca2a37a2bceb9db7e97076e932c1e
-
Filesize
26KB
MD5bffc21f44b02fbdd4a09c445db87ec59
SHA1f7ca5a2d0b2eb9ecaf75cbfcc73eeb65889490c8
SHA2568668f69c256baff9422ac9b3ab77448c21b5043547920591148b152cb3afb0d2
SHA51287ee090ed4581650a491df30e26da5420ae4d6a83d178ae9e0b0ca419e367a5f31424df407d0fab55a78f2300a712c66c62ef15425e44ae5bd8100f790fbda78
-
Filesize
65KB
MD5cc63b7e91816e5001fe79a840916f1c9
SHA163ff46f8b85bc29e298ef2ac7a434ff2df49918e
SHA256297f9c12df8bd91640439c0bf7fe1ee391bbd01d330f5e1604a29c4669977774
SHA51258fdcec81b6cff4e0d3a44ca93cfe1d86d8849afd0dd31af3a0d6e94483b5492a0f4729b3a0996084b56d4f5584166c4902abe195784ac7c2584489d699f0e48
-
Filesize
10KB
MD5731f3d80f2296e3e13f4335885fa2556
SHA127e8a4a8eb907b1b1c8b720ef02a45bf9b1c6124
SHA25633fe32886a8bf72769c3e4991265546c3d1cca9247dbb661f23f7f82362226a4
SHA512b154c375f49934c1858646e9e750fcb7b06d6c453f61d283bb5ee5d2fe509f887d796d722d8fb7084734ee178549a33a85b23d012dc9bcd5c74136700dc4ceb4
-
Filesize
37KB
MD5f0011e73036eee3e53ab2dba1460bc72
SHA1f4693ff6cb676942ebb7cc0d3d284ea1747963c6
SHA25606e4ce5edab923f25e737af624477afa000736637cc82911cbd8c11529bc5d96
SHA512a338bb454d69808497e648905c33c4c8bd697d3bc1986e189e06b7f26695cf312bf157a50dc31371931b93b733b366b316c2da0c62626d19f2c1aba34da10a1d
-
Filesize
11KB
MD5fb06e77f7c7bc0902d416c079c32d6a3
SHA1b75aee99d492d84e83cc5ddba4791b8d2a570e7a
SHA256784ea14d897c88be331d5c129d254a3a09add3d47066ad2879adecef3f00c97d
SHA5121d0299593a0ce9ec23784b52602475ddea6e1b86dd3a02173061fdd9b724627265a3d6f8f08fd955615b972e9887111158fb86125c0dfde3659b4854294b66cb
-
Filesize
9KB
MD5e67c26e6c46015f05da50046aacf8581
SHA132dfcee6d080e1b0c8012f8a6198f1e7d2afa3a0
SHA2565b03a642a52d5ee895931c8fad98b2a67f20331c313aec42aa96d76c9c3ff928
SHA512dd197b897c71f11abb9eefbad70691ed0b2b2ad0636616276d08d2c2a002b99e1ff7c5c47a54df94967f9a9f8c977fafba247f6aecfaa917dfb7efdb2d983493
-
Filesize
2KB
MD5c75c1a401eba37e59c4477b22f8ced9b
SHA15e845664f66e4d005fa2b041db4c9f6bf0d564a9
SHA25663774d6149f036c0d9faf98b062fea6b97debed559a9522099e46b54fe58da40
SHA5121a12908961361eeea00b98174434e931f5d575a9cf72858a21536c2900c7c55107b5d34952cc149119572d3ea93e3c7d2fca018dd3535660dfb008c82eff8bb2
-
Filesize
67KB
MD5129165f67ccbb25be6be8ae2f0c15dda
SHA1499865e046dc1d70edbf2a31ef06c03b6c6ea855
SHA2561a1e57cb0dd7ca08d96bbb1b6ce667e3273702c13a7ecf86839b7642ef8255e0
SHA5124666cf73ef77b0e7b86822fdc18743d41496c46686a91535ed7757dbdb8e0354489383aa4a27ab943e26360e8e1c8aed5600724034e0e6c38163faea24344ca2
-
Filesize
1.7MB
MD5f279d3e406114192148dd976de222138
SHA10567e9073c46c40e60e2ecd0a509579f029efd8e
SHA2561a7627c11aecf24e8e0c9a519498e8456f0457bd89f0ffe649bd8fb53a194f89
SHA512e72d1011bd3c4208c3733228aac45a6ae00c3979ffb49130d4141293764db1b91551edf9340b5cc5c987b848e3ffc661b8084923c2032b175fcf55321f42dc25