privateloader | b1707825c0f2fde7bfdbb5f4a4cef4002a935b2c9edfa93f512127f430cfbdd0

Analysis

max time kernel
63s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240419-es
resource tags

arch:x64arch:x86image:win10v2004-20240419-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
04/05/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCRemoteReceiverSetup_7_5_16.exe
Size

63.3MB
MD5

ca3eb78b4bfcd2388bf49a980f1053b7
SHA1

81c60fff0a2f0bf8e8ffc4161b0ed00fd3353a9f
SHA256

b1707825c0f2fde7bfdbb5f4a4cef4002a935b2c9edfa93f512127f430cfbdd0
SHA512

5f02bd4cab05cd242f3605ab027c11d28b855bd9180ff52aa14963248e2778cacc36466dcca684c0c17c9bab874f12b3a3e2d3ca655570831101cfc5c1022e51
SSDEEP

1572864:DGr9D2YYvt8/7Z9lRA9lg5yJRotDthtYt/1vv+W5x/t6rRYyjvZXTpoZC86:DO9DoFE3lKYgJ1cW5+ruyjv1Nos86

Score

10^/10

privateloader discovery evasion loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETEF13.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETEF24.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETEF13.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\vjoy.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETEF24.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\hidkmdf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETF155.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETF155.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\ViGEmBus.sys	DrvInst.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	api.ipify.org
53	api.ipify.org

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3168	netsh.exe
2680	netsh.exe
1532	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	PCRemoteReceiver.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\x64\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETECE2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF	driververifyx64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64\SETF06B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\SETF07D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\SETF156.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\vjoy.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETED23.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\SETF07C.tmp	DrvInst.exe
File created	C:\Windows\System32\SETF156.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64\SETF06B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\vigembus.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.PNF	driververifyx64.exe
File created	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETECD2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETECE2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\vigembus.PNF	driververifyx64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\x64\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\ViGEmBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\ViGEmBus.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETEC73.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\SETF07C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\hidkmdf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vjoy.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64\SETF06C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\SETF07D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\hidkmdf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.PNF	driververifyx64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETED22.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETED22.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\vJoy.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETED23.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vjoy.inf_amd64_958aef712eba5057\vJoy.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETEC73.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\SETECD2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_dc012c700833063e\vigembus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{19fb6712-62f7-474c-875c-b03ebf051dd4}\vjoy.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{89b8b215-8d50-e446-b62a-69162ad15673}\x64\SETF06C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\PC Remote Receiver\driververifyx64.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\MonectServerService.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\fonts\MaterialIcons-Regular.ttf	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\English.vlp	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Hokuto.No.Ken(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Kage(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\vJoy\hidkmdf.sys	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\ViGEm\vigembus.cat	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Pac-Man(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\swscale-6.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\TouchInput.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\RXSuper4in1.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\avutil-57.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\legacy\vJoy\vJoy.sys	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\mfwrap.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\SDL2.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\TMNT3.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\legacy\ViGEm\vigembus.cat	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Kage.No.Densetsu(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Dig.Dug(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Donkey.Kong.Classics(U).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Excitebike(JU).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Super.Mario.USA(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\legacy\vJoy\vjoy.inf	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\VirtuaNES.ini	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\install.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\swresample-4.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Circus.Charlie(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Yie.Ar.Kung-Fu(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\zlib1.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\vJoy\vjoy.inf	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\rtcompress.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\officehook.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\PCRemoteReceiver.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Battle.City(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\legacy\vJoy\WdfCoinstaller01009.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\libwebp-7.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\legacy\ViGEm\x64\WdfCoinstaller01009.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\Packages\vc_redist.x64.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\QRCodeEncoder.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\VirtuaNES.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\BOMBMAN.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Castlevania3-Draculas.Curse.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\vJoy\vJoy.sys	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\usbmmidd_v2\License.txt	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Hudson.s.Adventure.Island(U).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\ViGEm\x64\ViGEmBus.sys	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\MonectMediaCenter.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Archon(U).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Ice.Climber(JE).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Jackal(U)NEW.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Super.Contra(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\vJoy\vjoy.cat	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\usbmmidd_v2\x64\usbmmIdd.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\TMNT2.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\Contra(J).zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\emulators\virtuanes\roms\LIFEFORC.zip	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\lang\zh_cn.lg	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\MonectServer.exe	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\libpng16-16.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\SDL2_image.dll	PCRemoteReceiverSetup_7_5_16.exe
File opened for modification	C:\Program Files\PC Remote Receiver\PC Remote Receiver.url	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\vJoy\WdfCoinstaller01009.dll	PCRemoteReceiverSetup_7_5_16.exe
File created	C:\Program Files\PC Remote Receiver\driver\usbmmidd_v2\usbmmIdd.inf	PCRemoteReceiverSetup_7_5_16.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	driververifyx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	driververifyx64.exe

Executes dropped EXE 8 IoCs

pid	Process
4540	vc_redist.x64.exe
1424	vc_redist.x64.exe
2148	PCRemoteReceiver.exe
1140	MonectRuntimeCheck.exe
4740	driververifyx64.exe
1040	MonectServerService.exe
4056	driververifyx64.exe
2164	MonectServer.exe

Loads dropped DLL 14 IoCs

pid	Process
2732	PCRemoteReceiverSetup_7_5_16.exe
2732	PCRemoteReceiverSetup_7_5_16.exe
2732	PCRemoteReceiverSetup_7_5_16.exe
1424	vc_redist.x64.exe
2732	PCRemoteReceiverSetup_7_5_16.exe
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe
1140	MonectRuntimeCheck.exe
1040	MonectServerService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	driververifyx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	driververifyx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	driververifyx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	driververifyx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	driververifyx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	driververifyx64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	driververifyx64.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1976	TaskKill.exe
2280	TaskKill.exe
1676	TaskKill.exe
2224	TaskKill.exe
1288	TaskKill.exe
2304	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MonectServerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	MonectServerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	TaskKill.exe
Token: SeDebugPrivilege	2280	TaskKill.exe
Token: SeDebugPrivilege	1676	TaskKill.exe
Token: SeDebugPrivilege	2224	TaskKill.exe
Token: SeDebugPrivilege	1288	TaskKill.exe
Token: SeDebugPrivilege	2304	TaskKill.exe
Token: SeAuditPrivilege	2340	svchost.exe
Token: SeSecurityPrivilege	2340	svchost.exe
Token: SeLoadDriverPrivilege	4740	driververifyx64.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeBackupPrivilege	1676	DrvInst.exe
Token: SeRestorePrivilege	1676	DrvInst.exe
Token: SeBackupPrivilege	1676	DrvInst.exe
Token: SeLoadDriverPrivilege	1676	DrvInst.exe
Token: SeLoadDriverPrivilege	1676	DrvInst.exe
Token: SeLoadDriverPrivilege	1676	DrvInst.exe
Token: 33	4272	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4272	AUDIODG.EXE
Token: SeLoadDriverPrivilege	4740	driververifyx64.exe
Token: SeRestorePrivilege	4908	DrvInst.exe
Token: SeBackupPrivilege	4908	DrvInst.exe
Token: SeRestorePrivilege	4908	DrvInst.exe
Token: SeBackupPrivilege	4908	DrvInst.exe
Token: SeLoadDriverPrivilege	4908	DrvInst.exe
Token: SeLoadDriverPrivilege	4908	DrvInst.exe
Token: SeLoadDriverPrivilege	4908	DrvInst.exe
Token: SeLoadDriverPrivilege	4056	driververifyx64.exe
Token: SeLoadDriverPrivilege	4056	driververifyx64.exe
Token: SeLoadDriverPrivilege	4056	driververifyx64.exe
Token: SeLoadDriverPrivilege	4056	driververifyx64.exe
Token: SeLoadDriverPrivilege	4056	driververifyx64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2148	PCRemoteReceiver.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2148	PCRemoteReceiver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	PCRemoteReceiver.exe
2148	PCRemoteReceiver.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1976	2732	PCRemoteReceiverSetup_7_5_16.exe	102
PID 2732 wrote to memory of 1976	2732	PCRemoteReceiverSetup_7_5_16.exe	102
PID 2732 wrote to memory of 1976	2732	PCRemoteReceiverSetup_7_5_16.exe	102
PID 2732 wrote to memory of 2280	2732	PCRemoteReceiverSetup_7_5_16.exe	104
PID 2732 wrote to memory of 2280	2732	PCRemoteReceiverSetup_7_5_16.exe	104
PID 2732 wrote to memory of 2280	2732	PCRemoteReceiverSetup_7_5_16.exe	104
PID 2732 wrote to memory of 1676	2732	PCRemoteReceiverSetup_7_5_16.exe	106
PID 2732 wrote to memory of 1676	2732	PCRemoteReceiverSetup_7_5_16.exe	106
PID 2732 wrote to memory of 1676	2732	PCRemoteReceiverSetup_7_5_16.exe	106
PID 2732 wrote to memory of 2224	2732	PCRemoteReceiverSetup_7_5_16.exe	108
PID 2732 wrote to memory of 2224	2732	PCRemoteReceiverSetup_7_5_16.exe	108
PID 2732 wrote to memory of 2224	2732	PCRemoteReceiverSetup_7_5_16.exe	108
PID 2732 wrote to memory of 1288	2732	PCRemoteReceiverSetup_7_5_16.exe	110
PID 2732 wrote to memory of 1288	2732	PCRemoteReceiverSetup_7_5_16.exe	110
PID 2732 wrote to memory of 1288	2732	PCRemoteReceiverSetup_7_5_16.exe	110
PID 2732 wrote to memory of 2304	2732	PCRemoteReceiverSetup_7_5_16.exe	112
PID 2732 wrote to memory of 2304	2732	PCRemoteReceiverSetup_7_5_16.exe	112
PID 2732 wrote to memory of 2304	2732	PCRemoteReceiverSetup_7_5_16.exe	112
PID 2732 wrote to memory of 4540	2732	PCRemoteReceiverSetup_7_5_16.exe	114
PID 2732 wrote to memory of 4540	2732	PCRemoteReceiverSetup_7_5_16.exe	114
PID 2732 wrote to memory of 4540	2732	PCRemoteReceiverSetup_7_5_16.exe	114
PID 4540 wrote to memory of 1424	4540	vc_redist.x64.exe	115
PID 4540 wrote to memory of 1424	4540	vc_redist.x64.exe	115
PID 4540 wrote to memory of 1424	4540	vc_redist.x64.exe	115
PID 2732 wrote to memory of 2148	2732	PCRemoteReceiverSetup_7_5_16.exe	117
PID 2732 wrote to memory of 2148	2732	PCRemoteReceiverSetup_7_5_16.exe	117
PID 2148 wrote to memory of 1140	2148	PCRemoteReceiver.exe	118
PID 2148 wrote to memory of 1140	2148	PCRemoteReceiver.exe	118
PID 1140 wrote to memory of 4740	1140	MonectRuntimeCheck.exe	120
PID 1140 wrote to memory of 4740	1140	MonectRuntimeCheck.exe	120
PID 2340 wrote to memory of 2220	2340	svchost.exe	123
PID 2340 wrote to memory of 2220	2340	svchost.exe	123
PID 2340 wrote to memory of 1676	2340	svchost.exe	124
PID 2340 wrote to memory of 1676	2340	svchost.exe	124
PID 2340 wrote to memory of 1072	2340	svchost.exe	127
PID 2340 wrote to memory of 1072	2340	svchost.exe	127
PID 2340 wrote to memory of 4908	2340	svchost.exe	128
PID 2340 wrote to memory of 4908	2340	svchost.exe	128
PID 1140 wrote to memory of 3168	1140	MonectRuntimeCheck.exe	130
PID 1140 wrote to memory of 3168	1140	MonectRuntimeCheck.exe	130
PID 1040 wrote to memory of 4056	1040	MonectServerService.exe	132
PID 1040 wrote to memory of 4056	1040	MonectServerService.exe	132
PID 1040 wrote to memory of 2164	1040	MonectServerService.exe	134
PID 1040 wrote to memory of 2164	1040	MonectServerService.exe	134
PID 1140 wrote to memory of 2680	1140	MonectRuntimeCheck.exe	136
PID 1140 wrote to memory of 2680	1140	MonectRuntimeCheck.exe	136
PID 1140 wrote to memory of 1532	1140	MonectRuntimeCheck.exe	138
PID 1140 wrote to memory of 1532	1140	MonectRuntimeCheck.exe	138

C:\Users\Admin\AppData\Local\Temp\PCRemoteReceiverSetup_7_5_16.exe
"C:\Users\Admin\AppData\Local\Temp\PCRemoteReceiverSetup_7_5_16.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM PCRemoteReceiver.exe /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM MonectServerService.exe /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM MonectMediaCenter.exe /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM MonectRuntimeCheck.exe /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM MonectServer.exe /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM driververifyx64.exe /F /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Program Files\PC Remote Receiver\Packages\vc_redist.x64.exe
  "C:\Program Files\PC Remote Receiver\Packages\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\Temp\{685ED016-4D0B-433E-B844-13216E987285}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{685ED016-4D0B-433E-B844-13216E987285}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\PC Remote Receiver\Packages\vc_redist.x64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1424
- C:\Program Files\PC Remote Receiver\PCRemoteReceiver.exe
  "C:\Program Files\PC Remote Receiver\PCRemoteReceiver.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Program Files\PC Remote Receiver\MonectRuntimeCheck.exe
    "C:\Program Files\PC Remote Receiver\MonectRuntimeCheck.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Program Files\PC Remote Receiver\driververifyx64.exe
      "C:\Program Files\PC Remote Receiver\driververifyx64.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4740
  - - C:\Windows\System32\netsh.exe
      advfirewall firewall add rule name="MonectServerService" dir=in action=allow program="C:\Program Files\PC Remote Receiver\MonectServerService.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3168
  - - C:\Windows\System32\netsh.exe
      advfirewall firewall add rule name="PCRemoteReceiver" dir=in action=allow program="C:\Program Files\PC Remote Receiver\PCRemoteReceiver.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2680
  - - C:\Windows\System32\netsh.exe
      advfirewall firewall add rule name="MonectMediaCenter" dir=in action=allow program="C:\Program Files\PC Remote Receiver\MonectMediaCenter.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f1f49106-146f-e748-b150-08e6057651b7}\vjoy.inf" "9" "49e52482b" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\pc remote receiver\driver\vjoy"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2220
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:b2fe4818a00a2e82:vjoy.Inst.Win7:12.53.21.621:root\vid_1234&pid_bead&rev_0219," "49e52482b" "0000000000000158"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8e893762-a4c3-5545-af05-6a7bd25e4e1a}\vigembus.inf" "9" "429a86e87" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "c:\program files\pc remote receiver\driver\vigem"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1072
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c14ce88408607219:ViGEmBus_Device:1.16.112.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000158"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x45c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Program Files\PC Remote Receiver\MonectServerService.exe
"C:\Program Files\PC Remote Receiver\MonectServerService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Program Files\PC Remote Receiver\driververifyx64.exe
  -disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Program Files\PC Remote Receiver\MonectServer.exe
  "C:\Program Files\PC Remote Receiver\MonectServer.exe"
  2⤵
  - Executes dropped EXE
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PC Remote Receiver\MonectRuntimeCheck.exe

Filesize
121KB

MD5
855868707c8daba66438545fba07b490

SHA1
cb28feed2dc91fbb47dd3da4527ac7fb00a04f25

SHA256
7a3846a11ebe48d769c2983931fad9c71a924b2f0d892a478aeff528e108883e

SHA512
df3cd7a00eb562412b204cbb8e06cb31917b665f01cb9f521a8ba66ede8440b208f705da17159048e34327ca00d0c1b926bd1a78c0543c272203cb749c55dca3

Download Submit
C:\Program Files\PC Remote Receiver\MonectServer.exe

Filesize
158KB

MD5
67d3e56a71739c8da1b63f67ff0b2d3e

SHA1
00fd96b988ffe43ca6f82509de75ca8cdd7a7d2f

SHA256
68c45fb8ef63e88d843a902444c7abba285244b88711f75e0e5c5836535cb46f

SHA512
68e83c3203b6ed6f839f88820789e18e48ad9984ee5a259c25467eadeea8cadb1cd838a21eb21d2badec9944dfb55b7e12eaab804c0c4a1d85d1b6201b24701c

Download Submit
C:\Program Files\PC Remote Receiver\MonectServerService.exe

Filesize
2.5MB

MD5
ff7e7658509e639ee022b9a079df1c52

SHA1
052c6f08e11ab143d653f3db27390da0673ac1d2

SHA256
8ee17b3085f769d34a7da47fb61d29f9c46326c0be1e52f29a87a3cdb0c11f54

SHA512
f7d4ffc09c1e53bf5cc985d470ed488578c9935c2d9ba8176217ae76a929ffa0b634d5f2503c57e7b8a10ff4e42e34c5556cab79be825f45580e63a4b85b5cef

Download Submit
C:\Program Files\PC Remote Receiver\PCRemoteReceiver.exe

Filesize
7.2MB

MD5
1f131b830b107f7ff0e12be96cac1eb1

SHA1
1abb094ccb683d7e5ab18c1fe3bc37ad777accba

SHA256
22720868281ba4a699ebe9e34a94865bfb40207b386672d0afa4e4daba94bc0d

SHA512
c4df0294a1b25f96de69bf228f6b8612a9ab6f048110de441f83ef088296cb7106cc1dd125b32f4784395f99f579a4090c35a6db801d8ee442e57344858142eb

Download Submit
C:\Program Files\PC Remote Receiver\Packages\vc_redist.x64.exe

Filesize
14.3MB

MD5
f0248d477e74687c5619ae16498b13d4

SHA1
9ed4b091148c9b53f66b3f2c69be7e60e74c486a

SHA256
b6c82087a2c443db859fdbeaae7f46244d06c3f2a7f71c35e50358066253de52

SHA512
0c373b06ffe84f3e803831e90f22d7d73304e47a47839db614f63399ff1b7fcf33153bf3d23998877c96d2a75e316291a219fdd12358ca48928526284b802591

Download Submit
C:\Program Files\PC Remote Receiver\SDL2.dll

Filesize
2.2MB

MD5
5a2819c823a5af53420511a1ceb7a9aa

SHA1
3b80b1228631abbb7f2745828a25cbce0d9dce09

SHA256
81c70b7bfa5690b0ff20c15caa499f615a82cf5b49d278da89265eb836036465

SHA512
da85ca5a8666eb5a2a4bc6b0c9e2f7b7811eb22fe1632a8604274f4fdd5b4303e8943b85cdacb4a3378261d1c0c2d754f4db372294a7146c26a9a546ba83b399

Download Submit
C:\Program Files\PC Remote Receiver\SDL2_image.dll

Filesize
122KB

MD5
b8d249a5e394b4e6a954c557af1b80e6

SHA1
b03bb9d09447114a018110bfb91d56ef8d5ec3bb

SHA256
1e364af75fee0c83506fbdfd4d5b0e386c4e9c6a33ddbddac61ddb131e360194

SHA512
2f2e248c3963711f1a9f5d8baea5b8527d1df1748cd7e33bf898a380ae748f7a65629438711ff9a5343e64762ec0b5dc478cdf19fbf7111dac9d11a8427e0007

Download Submit
C:\Program Files\PC Remote Receiver\avutil-57.dll

Filesize
940KB

MD5
fa3f45bb731c4de12e3f56662d488164

SHA1
d1988df5b0c643ba9b7729b0312fdfb2d2d61077

SHA256
cb86f74c46b1771d9ce5aba2fd83796b60c0d2a3f1f9ba7ed9cc111f0b25b0a1

SHA512
1c209ab2589ef5f3eb43e954cc85349e81b9c28a01f1ae8646520c3aab57a8f9798b421b816235646853954b677a8fbf97e3048ed231a36d48a58faa086468a9

Download Submit
C:\Program Files\PC Remote Receiver\channel.dll

Filesize
3.5MB

MD5
a84a04ad46b430f2f784d7da2dc256e9

SHA1
cc817715e7db73e5ba4d1462bc717c4af178b2a5

SHA256
ca286604d2e3d576e95c414df2e3d32fb2260da136b50f539fc76e1812cc0966

SHA512
02a495ec649aae1eaa87094d4fdee74df880cedaed97668b514f9b194fc23f763a3ae70329f2985681e8f22a2a3e123c5e17e2d3c2eec680046aea4ef01ba97e

Download Submit
C:\Program Files\PC Remote Receiver\driver\ViGEm\ViGEmBus.inf

Filesize
2KB

MD5
c75c1a401eba37e59c4477b22f8ced9b

SHA1
5e845664f66e4d005fa2b041db4c9f6bf0d564a9

SHA256
63774d6149f036c0d9faf98b062fea6b97debed559a9522099e46b54fe58da40

SHA512
1a12908961361eeea00b98174434e931f5d575a9cf72858a21536c2900c7c55107b5d34952cc149119572d3ea93e3c7d2fca018dd3535660dfb008c82eff8bb2

Download Submit
C:\Program Files\PC Remote Receiver\driver\vJoy\vjoy.inf

Filesize
10KB

MD5
731f3d80f2296e3e13f4335885fa2556

SHA1
27e8a4a8eb907b1b1c8b720ef02a45bf9b1c6124

SHA256
33fe32886a8bf72769c3e4991265546c3d1cca9247dbb661f23f7f82362226a4

SHA512
b154c375f49934c1858646e9e750fcb7b06d6c453f61d283bb5ee5d2fe509f887d796d722d8fb7084734ee178549a33a85b23d012dc9bcd5c74136700dc4ceb4

Download Submit
C:\Program Files\PC Remote Receiver\driververifyx64.exe

Filesize
158KB

MD5
70706a45954282e4fbd88e56bfa0de64

SHA1
2b0711c1874e8b729a2a9548a48f9d82ef0c2caf

SHA256
262b46dd994d187d03c8391a7f454e0f223b8a4f7c4e4bbcc0b2195f8519f0df

SHA512
f253bf614b0a623d1604f74075723f78ae8fd2a30caecf5066c33133b5ba4f67b5201451e48c07327d343f77287eec7a15ef0de31a563af08cb015e1fb5a576f

Download Submit
C:\Program Files\PC Remote Receiver\install.dll

Filesize
26KB

MD5
b343876cb4c4574e675ef636074dac2f

SHA1
af43f04949b1405bb5015de99603ff5f7a40d09a

SHA256
10acbcf011f06a42d9f2577abdd5d455d6770ec7dfefd0da2832e1f36231819e

SHA512
886998baf7e063b4eb5793760f44b68c7ab04df8fb167d79ab3293582ed26e6b8d89790dc330aa92c782b22a879d42feb0010d6c6166eae97a13d7b8304a9358

Download Submit
C:\Program Files\PC Remote Receiver\lang\en_us.lg

Filesize
12KB

MD5
eacd9c8aa0725f2ecd4953f56a1bc769

SHA1
6b9b029c4ff464c17f4f94c999ad3ed2051e4259

SHA256
db923c6b728fcbf6d7e6bdb3906bcbd2b0e169d188f1da8f953bd3a0ff1e9e89

SHA512
0b08970ed8a476fea3378118a1d7ffa2b9e5a7a3896a084592ac6c4942a1d0fd4089624284116d8912392153016e46b97fb3032751157d1eaa4951ffa2e95dab

Download Submit
C:\Program Files\PC Remote Receiver\swresample-4.dll

Filesize
423KB

MD5
d4ba67aba67be2d58a0f4f0742cc6272

SHA1
71629abdcd513dc3e6704fb55f71b28f09d23dac

SHA256
339114e12aaf6c5c4d5f17605eac4665ec570ff5de189adada800c177b238932

SHA512
f6a14f86636c078aadb9543e4660ad827f71a6bda3067a0490d4ab68d09197f05106e7d52e02fe989bca44f130ce265c1fde7c4dbec27b9dbc0e6180e92b7b6b

Download Submit
C:\Program Files\PC Remote Receiver\swscale-6.dll

Filesize
589KB

MD5
ce2c506023961712261ebf67296864de

SHA1
eaa7eac0ef9e7770876324f2934a2317f1519b7d

SHA256
b2c3ee9cdc0e5292040bcd3336390e77ae8b467d65faa80f7e68625a619b32de

SHA512
5dafe6784faeb6cad509ebbca44e51b2b971369fafecacffc8915d4980bd303f57201183669c7c4972ad8d0a3ebe32ebccaf4544fd66ed1c21893992ce1d5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\InstallOptions.dll

Filesize
15KB

MD5
0a9fb96a7579b685ec36b17fc354e6a3

SHA1
355754104dd47d5fcf8918dee0dc2e2ee53390a6

SHA256
b34fb342f21d690aac024b6f48a597e78d15791ef480ac55159cd585d0f64af7

SHA512
67870206fa7f1e7df45c8c1bc2f51fb430f0a048a2bdb55a4a41525388ca3b50203784537f139169705a03db4bb13b591162a79a5d2df81a4d11fd849615c86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\ioSpecial.ini

Filesize
1KB

MD5
176af619f6e83b8706c95df00b229192

SHA1
dd043ed4b4780582011c7fb8dbb2a4b0ce15451d

SHA256
550feb4e3d7ebd171fbf340aa627ed414589e3210b9e04fa34eaa05394febb34

SHA512
0ab95674bc9001daef8e0387e2b7cd73d52e1f301a1547a45012e1d37577dfb313b9a77937788c02bdaa0293d514e5ca9bbf10275736d52718025af9bb5a2ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\ioSpecial.ini

Filesize
1KB

MD5
e79f7ee8d0114f6fb67bc0e7b4974a33

SHA1
9a3195d1649cdc55945567144dede1824914d9ed

SHA256
e88de56451369f0da15b9d16f178c41c57c4c793f2e0b2c43a2b9b835b8aa459

SHA512
a6413ca9b59d835322bfff81b6b2e4c60c963e248648a4358c2e6afcef0abf0620b5c375d22077b9f50037054bd9d559351a3806d1359be2f77999f64a8c3ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5257.tmp\ioSpecial.ini

Filesize
1KB

MD5
fcb0e2617ec297320dee75bba02a39de

SHA1
4619cf34fabb17d2cf9343ec254f74537df0c510

SHA256
9c5c8d1443e78b2fa3ee047a770d1d79523518e874bd28d345faaec172fb10d0

SHA512
47bb4fb736d843272fbbf74d79fd90dffa9fa2ba06358fc1fbd83541d1bb2d1c2d842f35d7778953e4fb4cf06033d89a743a461dfeb7d6f195faab2993c80876

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
62de6a3fe9e99ea924e8f0a8c894ea79

SHA1
ec5279a170c028e89d22d4cdaaaa63841c71124d

SHA256
3f35cac7c2ceb3e6c7221084f52e76d558c516ee1bb39a68bb65323029c62bcd

SHA512
a561388aef8c69c5ceaa152afafb713f975c1f5861d0f0647eecacb85a21bcfbb44ea77c980e60e18ff02ae5557431383e86a4c7cf19905cc72ed92afa77d672

Download Submit
C:\Windows\Temp\{685ED016-4D0B-433E-B844-13216E987285}\.cr\vc_redist.x64.exe

Filesize
632KB

MD5
843288fd72a1152b50b4e4b7344bb592

SHA1
648416c53721a85666abaf71c6682fcc1da70b48

SHA256
82c3e3423e48bafcdd726624eb7fd3e00674e50e4b6acdcac408fe8fae43b022

SHA512
04b61bb0a6e748ab78b1037db68bc9ec1745bb3efaca0b8fb6d99e01abbe08a67168cbf3f714b72daf00da26084ec6f6f707c3cd08fa8243023e6924719a4e41

Download Submit
C:\Windows\Temp\{ED5ADFD4-CDDD-414B-8F0F-860C53EB27BE}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{ED5ADFD4-CDDD-414B-8F0F-860C53EB27BE}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\??\c:\PROGRA~1\PCREMO~1\driver\vigem\x64\ViGEmBus.sys

Filesize
67KB

MD5
129165f67ccbb25be6be8ae2f0c15dda

SHA1
499865e046dc1d70edbf2a31ef06c03b6c6ea855

SHA256
1a1e57cb0dd7ca08d96bbb1b6ce667e3273702c13a7ecf86839b7642ef8255e0

SHA512
4666cf73ef77b0e7b86822fdc18743d41496c46686a91535ed7757dbdb8e0354489383aa4a27ab943e26360e8e1c8aed5600724034e0e6c38163faea24344ca2

Download Submit
\??\c:\PROGRA~1\PCREMO~1\driver\vigem\x64\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
f279d3e406114192148dd976de222138

SHA1
0567e9073c46c40e60e2ecd0a509579f029efd8e

SHA256
1a7627c11aecf24e8e0c9a519498e8456f0457bd89f0ffe649bd8fb53a194f89

SHA512
e72d1011bd3c4208c3733228aac45a6ae00c3979ffb49130d4141293764db1b91551edf9340b5cc5c987b848e3ffc661b8084923c2032b175fcf55321f42dc25

Download Submit
\??\c:\PROGRA~1\PCREMO~1\driver\vjoy\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
5cb42a31e35004ad81e5e89092adf3bc

SHA1
afdd47f3a2ec58f15abb2626e1233f5e356e8908

SHA256
44812fe5fe3b848d7d592278382c7c0370eba3115a9bd7f8db22efb89d1ed2b3

SHA512
328b35bb2b4963abc01602e2f0a78bf540c12e055bea3990d346e06edf53b5682c3387b6f86fbcf8552e2714c9d3ae6db28ca2a37a2bceb9db7e97076e932c1e

Download Submit
\??\c:\PROGRA~1\PCREMO~1\driver\vjoy\hidkmdf.sys

Filesize
26KB

MD5
bffc21f44b02fbdd4a09c445db87ec59

SHA1
f7ca5a2d0b2eb9ecaf75cbfcc73eeb65889490c8

SHA256
8668f69c256baff9422ac9b3ab77448c21b5043547920591148b152cb3afb0d2

SHA512
87ee090ed4581650a491df30e26da5420ae4d6a83d178ae9e0b0ca419e367a5f31424df407d0fab55a78f2300a712c66c62ef15425e44ae5bd8100f790fbda78

Download Submit
\??\c:\PROGRA~1\PCREMO~1\driver\vjoy\vjoy.sys

Filesize
65KB

MD5
cc63b7e91816e5001fe79a840916f1c9

SHA1
63ff46f8b85bc29e298ef2ac7a434ff2df49918e

SHA256
297f9c12df8bd91640439c0bf7fe1ee391bbd01d330f5e1604a29c4669977774

SHA512
58fdcec81b6cff4e0d3a44ca93cfe1d86d8849afd0dd31af3a0d6e94483b5492a0f4729b3a0996084b56d4f5584166c4902abe195784ac7c2584489d699f0e48

Download Submit
\??\c:\program files\pc remote receiver\driver\vigem\ViGEmBus.cat

Filesize
9KB

MD5
e67c26e6c46015f05da50046aacf8581

SHA1
32dfcee6d080e1b0c8012f8a6198f1e7d2afa3a0

SHA256
5b03a642a52d5ee895931c8fad98b2a67f20331c313aec42aa96d76c9c3ff928

SHA512
dd197b897c71f11abb9eefbad70691ed0b2b2ad0636616276d08d2c2a002b99e1ff7c5c47a54df94967f9a9f8c977fafba247f6aecfaa917dfb7efdb2d983493

Download Submit
\??\c:\program files\pc remote receiver\driver\vjoy\vJoy.cat

Filesize
11KB

MD5
fb06e77f7c7bc0902d416c079c32d6a3

SHA1
b75aee99d492d84e83cc5ddba4791b8d2a570e7a

SHA256
784ea14d897c88be331d5c129d254a3a09add3d47066ad2879adecef3f00c97d

SHA512
1d0299593a0ce9ec23784b52602475ddea6e1b86dd3a02173061fdd9b724627265a3d6f8f08fd955615b972e9887111158fb86125c0dfde3659b4854294b66cb

Download Submit
memory/2148-605-0x000000006A880000-0x000000006A8A7000-memory.dmp

Filesize
156KB

Download
memory/2148-604-0x00007FFDA7D90000-0x00007FFDA7F93000-memory.dmp

Filesize
2.0MB

Download
memory/2148-606-0x00007FFDA7B60000-0x00007FFDA7D90000-memory.dmp

Filesize
2.2MB

Download
memory/2148-603-0x00007FFDA8AC0000-0x00007FFDA8B63000-memory.dmp

Filesize
652KB

Download
memory/2148-602-0x00007FFDA8B70000-0x00007FFDA8C18000-memory.dmp

Filesize
672KB

Download
memory/2148-607-0x00007FFD93F00000-0x00007FFD98E09000-memory.dmp

Filesize
79.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads