3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
Size

10.9MB
MD5

72da4685f7f560a497f7fb644f3a52f7
SHA1

3a6e283df58dfd19d6e6328fb1d55214bfd3f363
SHA256

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944
SHA512

8e0c486d3371400276a71e1199f68cfb58fe96f14a798894ab3ea5460bcb9a41399aec9af12347b7a357d408524143a47dd7a48611ae60377b3812dbb728bf9e
SSDEEP

196608:fozA+9CZKfpCZGhOqhI8HuAUZdzO2Z5zrPzivICK0LowY66ZQyZgw7:fp+9dAIMqhI8fUG2Hz7mvICK0LoP66Zl

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4584 netsh.exe
1648 netsh.exe

pid	process
4584	netsh.exe
1648	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe

Executes dropped EXE 6 IoCs

Processes:

systecv3.exewinrdgv3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exewinrdlv3.exe

pid process

4316 systecv3.exe
3464 winrdgv3.exe
388 winrdgv3.exe
4756 winrdlv3.exe
3348 winrdlv3.exe
2692 winrdlv3.exe

pid	process
4316	systecv3.exe
3464	winrdgv3.exe
388	winrdgv3.exe
4756	winrdlv3.exe
3348	winrdlv3.exe
2692	winrdlv3.exe

Loads dropped DLL 11 IoCs

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exewinrdlv3.exewinrdlv3.exe

pid	process
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
4756	winrdlv3.exe
4756	winrdlv3.exe
4756	winrdlv3.exe
2692	winrdlv3.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winrdlv3.exe

description	ioc	process
File opened (read-only)	\??\R:	winrdlv3.exe
File opened (read-only)	\??\T:	winrdlv3.exe
File opened (read-only)	\??\D:	winrdlv3.exe
File opened (read-only)	\??\F:	winrdlv3.exe
File opened (read-only)	\??\E:	winrdlv3.exe
File opened (read-only)	\??\H:	winrdlv3.exe
File opened (read-only)	\??\Z:	winrdlv3.exe
File opened (read-only)	\??\N:	winrdlv3.exe
File opened (read-only)	\??\A:	winrdlv3.exe
File opened (read-only)	\??\K:	winrdlv3.exe
File opened (read-only)	\??\M:	winrdlv3.exe
File opened (read-only)	\??\U:	winrdlv3.exe
File opened (read-only)	\??\Y:	winrdlv3.exe
File opened (read-only)	\??\G:	winrdlv3.exe
File opened (read-only)	\??\J:	winrdlv3.exe
File opened (read-only)	\??\L:	winrdlv3.exe
File opened (read-only)	\??\W:	winrdlv3.exe
File opened (read-only)	\??\P:	winrdlv3.exe
File opened (read-only)	\??\B:	winrdlv3.exe
File opened (read-only)	\??\I:	winrdlv3.exe
File opened (read-only)	\??\O:	winrdlv3.exe
File opened (read-only)	\??\Q:	winrdlv3.exe
File opened (read-only)	\??\S:	winrdlv3.exe
File opened (read-only)	\??\V:	winrdlv3.exe
File opened (read-only)	\??\X:	winrdlv3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

winrdlv3.exe

description ioc process

File opened for modification \??\PhysicalDrive0 winrdlv3.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	winrdlv3.exe

Drops file in System32 directory 64 IoCs

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exewinrdlv3.exesystecv3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Qt5WebEngine.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\test30frames_1080p_ld2.265	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\uvcon.cfg	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1020.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1025.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\imageformats\qicns.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\Download	winrdlv3.exe
File created	C:\Windows\SysWOW64\Ocular\OAgent.ini	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_11_6_18_7_240622046_1_3_41	winrdlv3.exe
File created	C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_11_6_18_4_240618671_4_3_26500	winrdlv3.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Qt5SerialPort.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\otherfile_icon.png	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\bearer\qgenericbearer.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1029.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\dt_3.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Qt5Svg.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1044.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_11_6_18_4_240618656_2_3_18467	winrdlv3.exe
File created	C:\Windows\SysWOW64\endata\aw_1010.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Qt5Positioning.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Qt\labs\folderlistmodel\qmldir	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1033.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\bakstec3.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1001.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1024.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\Dump	winrdlv3.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\Screen	winrdlv3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\Config\p2p_common.ini	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\qmltooling\qmldbg_profiler.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\officetemplate.kid	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\winoav3.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\FtTemp	winrdlv3.exe
File created	C:\Windows\SysWOW64\winrdlv3.exe	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\dt_4.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\bakstec3.sys	systecv3.exe
File opened for modification	C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp	winrdlv3.exe
File created	C:\Windows\SysWOW64\Ocular\msagentclass.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw2_1002.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\zdefaultskin\zMiniUI.xml	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\imageformats\qgif.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\PrintData	winrdlv3.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\bakrdgv3.sys	systecv3.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\OBtEmulator	winrdlv3.exe
File created	C:\Windows\SysWOW64\endata\aw_1036.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1023.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\SysWOW64\endata\aw_1030.dat	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\TSafeDoc	winrdlv3.exe
File opened for modification	C:\Windows\SysWOW64\Ocular\SCDT\DocLog	winrdlv3.exe
File created	C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_11_6_18_10_240624296_3_3_18467	winrdlv3.exe

Drops file in Program Files directory 3 IoCs

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exesystecv3.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\winrdgv3.exe	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\winrdgv3.exe	systecv3.exe
File created	C:\Program Files (x86)\Common Files\System\systecv3.exe	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe

Drops file in Windows directory 23 IoCs

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exesystecv3.exewinrdlv3.exewinrdlv3.exe

description	ioc	process
File created	C:\Windows\bakrdgv3.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\bakTStartMenu.dat	systecv3.exe
File opened for modification	C:\Windows\bakCertList.dat	systecv3.exe
File opened for modification	C:\Windows\bakSCClient.dat	systecv3.exe
File opened for modification	C:\Windows\bakCameraPack.dat	winrdlv3.exe
File created	C:\Windows\bakwdgv3.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\win.ini	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\bakTKSPack.dat	systecv3.exe
File opened for modification	C:\Windows\bakSCClient.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakTStartMenu.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakTKSPack.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakCertList.dat	winrdlv3.exe
File opened for modification	C:\Windows\win.ini	winrdlv3.exe
File created	C:\Windows\bakoav3.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\bakrdlv3.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\bakstec3.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\bakwdgv364.sys	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File created	C:\Windows\LInstSvr.exe	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
File opened for modification	C:\Windows\bakCameraPack.dat	systecv3.exe
File opened for modification	C:\Windows\bakDWM.dat	systecv3.exe
File opened for modification	C:\Windows\bakThirdPartyLib.dat	systecv3.exe
File opened for modification	C:\Windows\bakDWM.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakThirdPartyLib.dat	winrdlv3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winrdlv3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	winrdlv3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	winrdlv3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	winrdlv3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	winrdlv3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	winrdlv3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	winrdlv3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	winrdlv3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+	winrdlv3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	winrdlv3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	winrdlv3.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

winrdgv3.exewinrdlv3.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	winrdgv3.exe

Modifies registry class 21 IoCs

Processes:

winrdlv3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}	winrdlv3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65655"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471755147"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295"	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c292db67d00000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000eaa3b7af2fc100000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 52c3dfe6ae2de640	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000030004600330046004600460046004600300046003000300030003300300030000000	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65813"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1"	winrdlv3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exewinrdlv3.exewinrdlv3.exe

pid	process
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
4756	winrdlv3.exe
4756	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
4756	winrdlv3.exe
4756	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
2692	winrdlv3.exe
4756	winrdlv3.exe
4756	winrdlv3.exe
2692	winrdlv3.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

656
656
656
656
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

systecv3.exewinrdlv3.exe

description pid process

Token: SeDebugPrivilege 4316 systecv3.exe
Token: SeTcbPrivilege 2692 winrdlv3.exe
Token: SeDebugPrivilege 2692 winrdlv3.exe

pid	process
656
656
656
656

description	pid	process
Token: SeDebugPrivilege	4316	systecv3.exe
Token: SeTcbPrivilege	2692	winrdlv3.exe
Token: SeDebugPrivilege	2692	winrdlv3.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.execmd.execmd.exewinrdgv3.exewinrdlv3.exewinrdlv3.exe

description	pid	process	target process
PID 1736 wrote to memory of 904	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	cmd.exe
PID 1736 wrote to memory of 904	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	cmd.exe
PID 1736 wrote to memory of 904	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	cmd.exe
PID 904 wrote to memory of 4584	904	cmd.exe	netsh.exe
PID 904 wrote to memory of 4584	904	cmd.exe	netsh.exe
PID 904 wrote to memory of 4584	904	cmd.exe	netsh.exe
PID 1736 wrote to memory of 2560	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	cmd.exe
PID 1736 wrote to memory of 2560	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	cmd.exe
PID 1736 wrote to memory of 2560	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	cmd.exe
PID 2560 wrote to memory of 1648	2560	cmd.exe	netsh.exe
PID 2560 wrote to memory of 1648	2560	cmd.exe	netsh.exe
PID 2560 wrote to memory of 1648	2560	cmd.exe	netsh.exe
PID 1736 wrote to memory of 4316	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	systecv3.exe
PID 1736 wrote to memory of 4316	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	systecv3.exe
PID 1736 wrote to memory of 4316	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	systecv3.exe
PID 1736 wrote to memory of 388	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	winrdgv3.exe
PID 1736 wrote to memory of 388	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	winrdgv3.exe
PID 1736 wrote to memory of 388	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	winrdgv3.exe
PID 3464 wrote to memory of 4756	3464	winrdgv3.exe	winrdlv3.exe
PID 3464 wrote to memory of 4756	3464	winrdgv3.exe	winrdlv3.exe
PID 3464 wrote to memory of 4756	3464	winrdgv3.exe	winrdlv3.exe
PID 1736 wrote to memory of 3348	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	winrdlv3.exe
PID 1736 wrote to memory of 3348	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	winrdlv3.exe
PID 1736 wrote to memory of 3348	1736	3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe	winrdlv3.exe
PID 4756 wrote to memory of 2692	4756	winrdlv3.exe	winrdlv3.exe
PID 4756 wrote to memory of 2692	4756	winrdlv3.exe	winrdlv3.exe
PID 4756 wrote to memory of 2692	4756	winrdlv3.exe	winrdlv3.exe
PID 2692 wrote to memory of 4332	2692	winrdlv3.exe	regsvr32.exe
PID 2692 wrote to memory of 4332	2692	winrdlv3.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

winrdlv3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	winrdlv3.exe

C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
3⤵
- Modifies Windows Firewall
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
3⤵
- Modifies Windows Firewall
PID:1648

C:\Program Files (x86)\Common Files\System\systecv3.exe
"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
2⤵
- Executes dropped EXE
PID:388

C:\Windows\SysWOW64\winrdlv3.exe
"C:\Windows\system32\winrdlv3.exe" SW_HIDE
2⤵
- Executes dropped EXE
PID:3348

C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
4⤵
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:3036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\systecv3.exe
Filesize
2.3MB

MD5
b9e0a7cbd7fdb4d179172dbdd453495a

SHA1
7f1b18a2bee7defa6db4900982fd3311aabed50d

SHA256
cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce

SHA512
720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\System.dll
Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\nsExec.dll
Filesize
7KB

MD5
ec9c99216ef11cdd85965e78bc797d2c

SHA1
1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

SHA256
c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

SHA512
35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\nsProcess.dll
Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
Filesize
32B

MD5
c65f746d55d47f9713a4b1756c441838

SHA1
1161f92d203b43c2c1949cbeebc1dc4d1962eb29

SHA256
b87182c052c2bd44f743b22cad39b8c18ca16d166734eae7a1af1a75caa2e148

SHA512
a14025e1c15586d14ab99bef82f340b605992513724cc05f47d6d693e3b088a63c483054dc953dcc5ddf6a0ce5e7ad5391abd448dbc8c227dfeb70e9be61d341

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
060a95870c44f2f006d4230cb631647b

SHA1
4717872a694141655512617614e9dffd0c0c671f

SHA256
30834e63dfef0fba60ac08c3d4d6a2f51526c7a57f06d7e7633d45acf55def08

SHA512
009586ebbe1615cd143e9f7c4a11b3854d5c9f3451a98fc9be4bc41deffa05d190294a9eb6bddf5df936247eb1cd1a972769c9b5faacbed12724e298badfd3b9

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
325df174fb0782239682c04e057c4c2e

SHA1
02e88669efcbc8e77c49ea838ad3368342dda76f

SHA256
35bc622557bbbe243a8e2c04c9ac9340272b47973a3afabd2585d9ee44fa6a7f

SHA512
2d2148c0dcfeff9ff1949d3b82bc4e808cd985b96e1a70e36aa7b06095a2580e9d69a670669aee18a2c1a3e7dbc268d41a4bce56ef4de1fffa8d68d827c0e3f2

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
3144ced0652027e1a505967dae0720ee

SHA1
752e7f4987a114c896e5ac7ac167b6070b42280e

SHA256
f620ff40e6a02f00fece685b5824bfa8a803953947aac082f14589ab7735b57b

SHA512
b3fa392efef59de6d3b90efe32eb5d1baec5e1d8d1fdc905976ac7cd6259a2a873e4436125d26eb9c48607fa5ac49eb61c48e8c3a984d8ef23b88c89ce8b57d4

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
07bb1eef573ac5d36aabae55b997201d

SHA1
6e988cb0dd14bd36b5eae5670aa0623f7bc3e69d

SHA256
6b415ecaa5a274874c643a8139299504ad9a3e577d098cee74f16bb1966dd553

SHA512
da56a20b7772f59ebbd87affcd1ffa029854d95b5bf65a5eac2f5f3370ce84b2fdf2decf4bcde12b23457d133c8b273c4d85674f956d82f6a2246a8a762cca8c

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
7dec65a645f910deda8d66203d73c31f

SHA1
30d4e13771f9b4008a68f9999dca6cccc042529d

SHA256
adef1da6ab02908c71912bca3f252b54b8b35426ef5ac987710fccc09ade156c

SHA512
b1d19087e03875486c547a9a81c6c0539136a49c22c07a99bb0c3bdfbe172c476b065bfe4862e513d36e0fc91f0d8a284d74677ff7e9ea433a2d6ced64c8d6b8

Download Submit
C:\Windows\SysWOW64\Ocular\OPolicy.ini
Filesize
7KB

MD5
92b241f1481f7308fec1d8cf8ee1a06d

SHA1
0ad29126c63d1692f7608289475a2ba3f986b7e3

SHA256
a86c106a60bf075debe285a6d3cb17523ca9b0c8a5609ff5ec5c32908d8617ff

SHA512
8d9d98d56d96aca2002c301e25833871447a6f860f2558f144b5fa747d059e6502bcd383ba4bf24cea42503043c1a5c58a65c89e703f10725f3a837cbe8bbea6

Download Submit
C:\Windows\SysWOW64\Ocular\OPolicy.ini
Filesize
7KB

MD5
83a930a7c95cc68951fe960e55e3f5c9

SHA1
537d523129a792d2062cc4fca8e8d5f13f7b0912

SHA256
493fb7a677670d5e2f34022b176c27167ea5d2a2d36afcc60d5d7177dd0bb415

SHA512
74b293a59793d250670b0430a21af32e9bef4d054db1b1e6a10aa09906a56999a36d9cffeffa5dcbc2bb770bf5468ccde674bb9860d281f01ac6e8ac0a18fc4f

Download Submit
C:\Windows\SysWOW64\Ocular\OPolicy.ini
Filesize
7KB

MD5
f4470b6b433c0972b6287e59b3122f69

SHA1
4c8bfd22c44fda2871072546e8921ac339f93b16

SHA256
604974ed5942bd43db91fb76c74b587a2ccf4671a264ea471b0837b3e714409b

SHA512
b39abcf2d0fa45886be71b644cfc98c685346dbaf887e2ee9c30046bee8b627af61c1202fd39dbd550173c4ba331dec47843e3f5d2e36f995c227fe132c91196

Download Submit
C:\Windows\SysWOW64\Ocular\msagentclass.dat
Filesize
56B

MD5
1ed50f90f5d6ae13c1eb365e7ddd174c

SHA1
21372ee1cfc925d3926e7ba16bfd032c9a440194

SHA256
49ca672d8cf488a80d71508d078484554b8da1deffd78dafd0a15cc9041524c6

SHA512
a79cc841614aa3d7f18fa1a9d5d205be3aa59e2005ebcb0146aa3139d631acd685f76d949b21e1457d8937e56f7d46c507d3d3548b9aec2d5de2f7b3b5efcd4c

Download Submit
C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat
Filesize
68B

MD5
b2a694142b2b98f1c5b41f6d28d02ce6

SHA1
547ce4e42bbe81a358d6866a1a5b194ee2d5720e

SHA256
21f56710a7667c48fd5993a2b42aeee519527bfd36075ba0a11dfc0bec583f0e

SHA512
6cdb6417ba0ad61aa13fe9e27e33bbb4ea29da37969459a9ef5ed054c2822139dda1e7c2f00fba5d43683ddc7603546fa610e813c9f76dc34067d3cce7a14e9c

Download Submit
C:\Windows\SysWOW64\Ocular\msmailboxidentify.dat
Filesize
56B

MD5
bf777b127ee66875e2b08174b00bbc07

SHA1
02ef38eb3fad07cc2e795e33dae9ad44cc1de976

SHA256
35c1ab113184120707b157d06e26ae834a48914ea0e313ea74efdebc7ba2e059

SHA512
5f03fb5d7d8a3286452dc9d71e0f8369835c172c2179ca94fc81dddeeb9f17f4404aeb2ea3c483809111cbe3f8741ad2c513a239e303b09f46e0230ec926db07

Download Submit
C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat
Filesize
132B

MD5
802914edc8dec4d5414de5bb98601d40

SHA1
13fe97de7e7593781a472d95324303e34eab552b

SHA256
01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947

SHA512
64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

Download Submit
C:\Windows\SysWOW64\Ocular\msodhash3.dat
Filesize
6KB

MD5
9939bdd951897c8a48769f2e18be5397

SHA1
d3a9640400bf4175c2d560fb450fa6b723775636

SHA256
e7243c8ab50e2d1174030638045ab50e6ec9d2e9537d72cf3e76b6e0b3348fc1

SHA512
4e94c57a276f2feb5e74e1b6f376085de88a6b0cbfdbf77634e1c85ebf514473b150e677a60b9ff3621d9fc21ba3fcd2ad90c91b633a2dff13cb1933ca80a059

Download Submit
C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass2.dat
Filesize
40B

MD5
b4c5a731de7aafc9a8dece224e0db819

SHA1
190077d8d59260ec8362b8ef35c6b697dc8ed400

SHA256
c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37

SHA512
120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98

Download Submit
C:\Windows\SysWOW64\winoav3.dll
Filesize
13.7MB

MD5
3ae42cb8a028c5be3f57575342bbb56d

SHA1
2939396b9069d4b46febc047b13ce2c30de7e886

SHA256
0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609

SHA512
f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

Download Submit
C:\Windows\SysWOW64\winrdlv3.exe
Filesize
57KB

MD5
0cbeb75d3090054817ea4df0773afe35

SHA1
58c543a84dc18e21d86ad2c011d8ac726867fb78

SHA256
453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822

SHA512
f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

Download Submit
C:\Windows\SysWOW64\winwdgv3.dll
Filesize
2.1MB

MD5
0aed8f70a00060f8005efa8d1c668b98

SHA1
c75fe3d1a2476da55f526d366f73bedbfd56f32a

SHA256
326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671

SHA512
738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

Download Submit
C:\Windows\bakrdgv3.sys
Filesize
1.7MB

MD5
97ac3ef2e098c4cb7dd6ec1d14dc28f1

SHA1
3e78e87eefe45f8403e46d94713b6667aee6d9c9

SHA256
a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1

SHA512
693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

Download Submit
C:\Windows\system32\winwdgv364.dll
Filesize
1.3MB

MD5
889482a07ba13fc6e194a63d275a850a

SHA1
16a164fded3352abb63722a5c74750cdc438f99a

SHA256
799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0

SHA512
e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

Download Submit
C:\Windows\win.ini
Filesize
1KB

MD5
91c92ac90e74a5dc2d3edd6579870f16

SHA1
720064d5eb301f2154ecb9cb9318ba91034b067a

SHA256
3357fd467ef2d825eafd2f2d20508bf8f6c16eb0c1dacbb9ae6e528607098f78

SHA512
79d153389988c7693e5c5a9cf311f12c6c69dc7d77f4b9dc25fda8ad214ee8148ea6e721604d136d1f2ff10828d8f78c317a7b0e2ce2a0d44b55aa3f2e0a6aa8

Download Submit
C:\Windows\win.ini
Filesize
1KB

MD5
5daaf0f34045e6dabc6e59dab1a7ac9f

SHA1
2814e7f9a81392bfca7d103563fb9739cd39532d

SHA256
84d9937dc17d4157c0acfb2fbe2450a09888dfd6b56a08f48c671080b76e3c32

SHA512
22cb72df8d8cbc993f868fa6bfb05f4cf88fdc05efde13e65eed6cf9c9f9b4071a4c9d8c9908cb98da686e3783f6fb31117e9cbd01411b2d91942b35d9497cc2

Download Submit
C:\Windows\win.ini
Filesize
1KB

MD5
2f8cec36a057f241243de87776687f98

SHA1
54b4660c18cfccf7f66ffae207c982bda8efbd1d

SHA256
8d5902e43db821b33bd525085e5574c23c294ebfdc8d2dc7ca1931079895b4a4

SHA512
36e1aabdd91fb6ed1f61408dbc0a2775b706845d591122d32b93f8a912e48e4b23ec16793860b6b24e17e1343ed316838d052f996e99589cd4ba36683bc07f01

Download Submit
memory/4756-278-0x00000000018D0000-0x00000000026FC000-memory.dmp

Filesize
14.2MB

Download