Analysis Overview
score
9/10
SHA256
3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944
Threat Level: Likely malicious
The file 3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944 was found to be: Likely malicious.
Malicious Activity Summary
detect oss ak
Modifies Windows Firewall
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: LoadsDriver
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-11 06:17
Signatures
detect oss ak
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
119s
Max time network
121s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 2396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
105s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2024 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2024 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
N/A
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
111s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3116 wrote to memory of 216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3116 wrote to memory of 216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3116 wrote to memory of 216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
108s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3412 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3412 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3412 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
N/A
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240221-en
Max time kernel
120s
Max time network
130s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2192 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
117s
Max time network
126s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 224
Network
N/A
Files
N/A
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
103s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 3836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2140 wrote to memory of 3836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2140 wrote to memory of 3836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4472 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4472 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
121s
Max time network
128s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2156 wrote to memory of 1184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
157s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4996 wrote to memory of 4340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4996 wrote to memory of 4340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4996 wrote to memory of 4340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.17.178.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20231129-en
Max time kernel
119s
Max time network
127s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
154s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 1432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 1432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 1432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240215-en
Max time kernel
149s
Max time network
135s
Command Line
"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\systecv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\System\systecv3.exe | C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Program Files (x86)\Common Files\System\systecv3.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471755147" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000030004600330046004600460046004600300046003000300030003300300030000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c292db67d00000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200051004d00300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000d22a4ff6eed800000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 52c3dfe6ae2de640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65812" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65655" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\System\systecv3.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Program Files (x86)\Common Files\System\systecv3.exe
"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
C:\Windows\SysWOW64\winrdlv3.exe
"C:\Windows\system32\winrdlv3.exe" SW_HIDE
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| HK | 206.238.199.139:8237 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst1BBC.tmp\nsProcess.dll
| MD5 | 88d3e48d1c1a051c702d47046ade7b4c |
| SHA1 | 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23 |
| SHA256 | 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257 |
| SHA512 | 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7 |
\Users\Admin\AppData\Local\Temp\nst1BBC.tmp\System.dll
| MD5 | 6e55a6e7c3fdbd244042eb15cb1ec739 |
| SHA1 | 070ea80e2192abc42f358d47b276990b5fa285a9 |
| SHA256 | acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506 |
| SHA512 | 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35 |
\Users\Admin\AppData\Local\Temp\nst1BBC.tmp\nsExec.dll
| MD5 | ec9c99216ef11cdd85965e78bc797d2c |
| SHA1 | 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c |
| SHA256 | c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df |
| SHA512 | 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1 |
C:\Program Files (x86)\Common Files\System\systecv3.exe
| MD5 | b9e0a7cbd7fdb4d179172dbdd453495a |
| SHA1 | 7f1b18a2bee7defa6db4900982fd3311aabed50d |
| SHA256 | cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce |
| SHA512 | 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c |
C:\Windows\win.ini
| MD5 | 91c92ac90e74a5dc2d3edd6579870f16 |
| SHA1 | 720064d5eb301f2154ecb9cb9318ba91034b067a |
| SHA256 | 3357fd467ef2d825eafd2f2d20508bf8f6c16eb0c1dacbb9ae6e528607098f78 |
| SHA512 | 79d153389988c7693e5c5a9cf311f12c6c69dc7d77f4b9dc25fda8ad214ee8148ea6e721604d136d1f2ff10828d8f78c317a7b0e2ce2a0d44b55aa3f2e0a6aa8 |
C:\Windows\SysWow64\bakrdgv3.sys
| MD5 | 97ac3ef2e098c4cb7dd6ec1d14dc28f1 |
| SHA1 | 3e78e87eefe45f8403e46d94713b6667aee6d9c9 |
| SHA256 | a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1 |
| SHA512 | 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd |
C:\Windows\SysWOW64\winrdlv3.exe
| MD5 | 0cbeb75d3090054817ea4df0773afe35 |
| SHA1 | 58c543a84dc18e21d86ad2c011d8ac726867fb78 |
| SHA256 | 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822 |
| SHA512 | f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c |
C:\Windows\SysWOW64\winwdgv3.dll
| MD5 | 0aed8f70a00060f8005efa8d1c668b98 |
| SHA1 | c75fe3d1a2476da55f526d366f73bedbfd56f32a |
| SHA256 | 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671 |
| SHA512 | 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787 |
C:\Windows\system32\winwdgv364.dll
| MD5 | 889482a07ba13fc6e194a63d275a850a |
| SHA1 | 16a164fded3352abb63722a5c74750cdc438f99a |
| SHA256 | 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0 |
| SHA512 | e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a |
C:\Windows\bakoav3.sys
| MD5 | 3ae42cb8a028c5be3f57575342bbb56d |
| SHA1 | 2939396b9069d4b46febc047b13ce2c30de7e886 |
| SHA256 | 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609 |
| SHA512 | f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24 |
memory/2128-253-0x0000000002E00000-0x0000000003C2C000-memory.dmp
C:\Windows\SysWow64\Ocular\OAgent.ini
| MD5 | 060a95870c44f2f006d4230cb631647b |
| SHA1 | 4717872a694141655512617614e9dffd0c0c671f |
| SHA256 | 30834e63dfef0fba60ac08c3d4d6a2f51526c7a57f06d7e7633d45acf55def08 |
| SHA512 | 009586ebbe1615cd143e9f7c4a11b3854d5c9f3451a98fc9be4bc41deffa05d190294a9eb6bddf5df936247eb1cd1a972769c9b5faacbed12724e298badfd3b9 |
C:\Windows\SysWow64\Ocular\msodhash3.dat
| MD5 | 9939bdd951897c8a48769f2e18be5397 |
| SHA1 | d3a9640400bf4175c2d560fb450fa6b723775636 |
| SHA256 | e7243c8ab50e2d1174030638045ab50e6ec9d2e9537d72cf3e76b6e0b3348fc1 |
| SHA512 | 4e94c57a276f2feb5e74e1b6f376085de88a6b0cbfdbf77634e1c85ebf514473b150e677a60b9ff3621d9fc21ba3fcd2ad90c91b633a2dff13cb1933ca80a059 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | eaf9ddec9e92277b04267ed338024723 |
| SHA1 | 5e20a503bae8967988fa339822361d9132a7cf65 |
| SHA256 | cd10b17c7677023fe2ecf462509859de5e8b5cfe830ba71396c6639499a11583 |
| SHA512 | 2302424c6082ebf0d95b1fb1db0fd3eb92c6010669ba7acbf855105fe953e1bccfc966cdfc19fa581b98c7e109eb7c4ae6e7d0061d14593889f7245bca9250c2 |
C:\Windows\SysWow64\Ocular\OPolicy.ini
| MD5 | 92b241f1481f7308fec1d8cf8ee1a06d |
| SHA1 | 0ad29126c63d1692f7608289475a2ba3f986b7e3 |
| SHA256 | a86c106a60bf075debe285a6d3cb17523ca9b0c8a5609ff5ec5c32908d8617ff |
| SHA512 | 8d9d98d56d96aca2002c301e25833871447a6f860f2558f144b5fa747d059e6502bcd383ba4bf24cea42503043c1a5c58a65c89e703f10725f3a837cbe8bbea6 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | 7283fb584d9bb9ca700796c2b3bc9165 |
| SHA1 | ed1d72488146f29eaaea26eeb1baa335d3abd25a |
| SHA256 | c1ba97b0f123fa5a774b85b84161e649dde404fcb119bef040575b7fa46185e6 |
| SHA512 | a16b90640567aee9a23ff167415e567f1f4d378069889c5d6ceedbd8afcb8acb6c350c2aa603328ca07eb52d1971d88569d17588987b37053e688729f244f655 |
C:\Windows\SysWow64\Ocular\msmidtierserverclass3.dat
| MD5 | 802914edc8dec4d5414de5bb98601d40 |
| SHA1 | 13fe97de7e7593781a472d95324303e34eab552b |
| SHA256 | 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947 |
| SHA512 | 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf |
C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat
| MD5 | c65f746d55d47f9713a4b1756c441838 |
| SHA1 | 1161f92d203b43c2c1949cbeebc1dc4d1962eb29 |
| SHA256 | b87182c052c2bd44f743b22cad39b8c18ca16d166734eae7a1af1a75caa2e148 |
| SHA512 | a14025e1c15586d14ab99bef82f340b605992513724cc05f47d6d693e3b088a63c483054dc953dcc5ddf6a0ce5e7ad5391abd448dbc8c227dfeb70e9be61d341 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 5239bc5e5f376a51423a6de8e51f8e1c |
| SHA1 | 289aa0bf2e173f5617e954df4b72a1754456b49b |
| SHA256 | d1011bfa513d0aba1038f06bd784c6d7a0f20a2bc801e8f6cb2669206521ebe8 |
| SHA512 | 392101b53d7f7e6a0555771004a1341ca35ab50f608b66bf40953850e36a5923e68bf47e35a803fac8a2d1fe6835004d592babfe4f2e9f98c8ccc095d49cb2e1 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 38a545d5c11fece9314b82a2528cab61 |
| SHA1 | c9371b52653ac7bd62ad701bcf7a2fd823774423 |
| SHA256 | c46d3e307d59eec52d46cca1d9edfcc1a11ead89613b6993e3c29b71e7c54433 |
| SHA512 | 086374453c317290fd651e8e2d737a041b1a74f8b7e8a822eb47dacfcf412d42aab159a4f706a06bc68c67770bd30e1ebec3fd38af87b881c4a34c49d4ac1fb6 |
C:\Windows\win.ini
| MD5 | d987b8ee310dc369bd69b46a64cf6ddd |
| SHA1 | 8ba4ce89b73fa20726895d13c078ed7bd46485d2 |
| SHA256 | 5a5d8fe37ac74c37c22e3a3b256f2c30d2f0361df26d0b3b93757ad6cb74d5f0 |
| SHA512 | 7c13e0884d538d885e5bafa435f2dea78d72d2db203c6a2292e8539279b50d3661830f27dfdf008c736499378f43c3a97382ad79a6afc5c38ff0f3291cd860fa |
C:\Windows\win.ini
| MD5 | eb8c51ac7de1e34b227aa1cfa0b2b4f4 |
| SHA1 | 08ecd3f4988ed7310647cc4f8fb0c7ab26911e2c |
| SHA256 | b7943d4226e1b06b7fe32c641d1d3cf027db3d197d7fa00fe9dfe4068798a2bf |
| SHA512 | a5c416173961c1e09bc5cdda68f89024536c19e663f5914788f34d59f033daa618e58311b257d0faef72e31975cb0c21a417b497ea60d5be8297cc93b2d98994 |
C:\Windows\SysWow64\Ocular\msagentclass.dat
| MD5 | 1ed50f90f5d6ae13c1eb365e7ddd174c |
| SHA1 | 21372ee1cfc925d3926e7ba16bfd032c9a440194 |
| SHA256 | 49ca672d8cf488a80d71508d078484554b8da1deffd78dafd0a15cc9041524c6 |
| SHA512 | a79cc841614aa3d7f18fa1a9d5d205be3aa59e2005ebcb0146aa3139d631acd685f76d949b21e1457d8937e56f7d46c507d3d3548b9aec2d5de2f7b3b5efcd4c |
C:\Windows\SysWow64\Ocular\msusersystemservercfgclass2.dat
| MD5 | b4c5a731de7aafc9a8dece224e0db819 |
| SHA1 | 190077d8d59260ec8362b8ef35c6b697dc8ed400 |
| SHA256 | c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37 |
| SHA512 | 120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98 |
C:\Windows\SysWow64\Ocular\msmailboxidentify.dat
| MD5 | bf777b127ee66875e2b08174b00bbc07 |
| SHA1 | 02ef38eb3fad07cc2e795e33dae9ad44cc1de976 |
| SHA256 | 35c1ab113184120707b157d06e26ae834a48914ea0e313ea74efdebc7ba2e059 |
| SHA512 | 5f03fb5d7d8a3286452dc9d71e0f8369835c172c2179ca94fc81dddeeb9f17f4404aeb2ea3c483809111cbe3f8741ad2c513a239e303b09f46e0230ec926db07 |
C:\Windows\SysWow64\Ocular\msmailboxcalss.dat
| MD5 | b2a694142b2b98f1c5b41f6d28d02ce6 |
| SHA1 | 547ce4e42bbe81a358d6866a1a5b194ee2d5720e |
| SHA256 | 21f56710a7667c48fd5993a2b42aeee519527bfd36075ba0a11dfc0bec583f0e |
| SHA512 | 6cdb6417ba0ad61aa13fe9e27e33bbb4ea29da37969459a9ef5ed054c2822139dda1e7c2f00fba5d43683ddc7603546fa610e813c9f76dc34067d3cce7a14e9c |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | e3e926962b0ac5627e917820702076a5 |
| SHA1 | 8d1b90b5ad74cdf50761dc6feb8e5eacf8198ecc |
| SHA256 | 650b2b8035a1e6a76f2f41a554c6c8e85a216465d9d8b3343ff9f665debc402d |
| SHA512 | 5fe052b80db86c6209de6fef820ad66b89f658f38eca9c70abd2273aaa5ea8019bf4d268b3bfb4ad755e5a2a516f4ede750384d8569ebf859882abf913c918e5 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | bb69cb028e395439341e588826688bd5 |
| SHA1 | dfbb5d0e9a861b8223bcd5d41e300878acca2490 |
| SHA256 | 33a98e019d586a4f0fc071041293db84ad93741d1f39ec3790c827785697060c |
| SHA512 | 2234e99d7d23e0afd9d2e94e501679dfc1212a6aaca3f94175dcfebefc56edd611fde47ece7cbe223674cec2e468de5245d213c9611488af508c99663bff7611 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
97s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5952 wrote to memory of 5388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5952 wrote to memory of 5388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5952 wrote to memory of 5388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5388 -ip 5388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
163s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 4232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 4232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 4232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 608
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240226-en
Max time kernel
109s
Max time network
161s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5100 wrote to memory of 1652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5100 wrote to memory of 1652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5100 wrote to memory of 1652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2088 wrote to memory of 1460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
120s
Max time network
122s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 1856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
97s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4544 wrote to memory of 3852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4544 wrote to memory of 3852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4544 wrote to memory of 3852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
121s
Max time network
126s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 220
Network
N/A
Files
N/A
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
117s
Max time network
123s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 220
Network
N/A
Files
N/A
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
155s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 1392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1820 wrote to memory of 1392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1820 wrote to memory of 1392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240221-en
Max time kernel
122s
Max time network
130s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240220-en
Max time kernel
121s
Max time network
126s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2076 wrote to memory of 2860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4652 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4652 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4652 wrote to memory of 4792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
139s
Command Line
"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\systecv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Program Files (x86)\Common Files\System\systecv3.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\systecv3.exe | C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+ | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+ | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65655" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471755147" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c292db67d00000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000eaa3b7af2fc100000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 52c3dfe6ae2de640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000030004600330046004600460046004600300046003000300030003300300030000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65813" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\System\systecv3.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe
"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
C:\Program Files (x86)\Common Files\System\systecv3.exe
"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
C:\Windows\SysWOW64\winrdlv3.exe
"C:\Windows\system32\winrdlv3.exe" SW_HIDE
C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| HK | 206.238.199.139:8237 | tcp | |
| US | 8.8.8.8:53 | 139.199.238.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\nsProcess.dll
| MD5 | 88d3e48d1c1a051c702d47046ade7b4c |
| SHA1 | 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23 |
| SHA256 | 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257 |
| SHA512 | 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7 |
C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\System.dll
| MD5 | 6e55a6e7c3fdbd244042eb15cb1ec739 |
| SHA1 | 070ea80e2192abc42f358d47b276990b5fa285a9 |
| SHA256 | acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506 |
| SHA512 | 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35 |
C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\nsExec.dll
| MD5 | ec9c99216ef11cdd85965e78bc797d2c |
| SHA1 | 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c |
| SHA256 | c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df |
| SHA512 | 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1 |
C:\Program Files (x86)\Common Files\System\systecv3.exe
| MD5 | b9e0a7cbd7fdb4d179172dbdd453495a |
| SHA1 | 7f1b18a2bee7defa6db4900982fd3311aabed50d |
| SHA256 | cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce |
| SHA512 | 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c |
C:\Windows\win.ini
| MD5 | 91c92ac90e74a5dc2d3edd6579870f16 |
| SHA1 | 720064d5eb301f2154ecb9cb9318ba91034b067a |
| SHA256 | 3357fd467ef2d825eafd2f2d20508bf8f6c16eb0c1dacbb9ae6e528607098f78 |
| SHA512 | 79d153389988c7693e5c5a9cf311f12c6c69dc7d77f4b9dc25fda8ad214ee8148ea6e721604d136d1f2ff10828d8f78c317a7b0e2ce2a0d44b55aa3f2e0a6aa8 |
C:\Windows\bakrdgv3.sys
| MD5 | 97ac3ef2e098c4cb7dd6ec1d14dc28f1 |
| SHA1 | 3e78e87eefe45f8403e46d94713b6667aee6d9c9 |
| SHA256 | a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1 |
| SHA512 | 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd |
C:\Windows\SysWOW64\winrdlv3.exe
| MD5 | 0cbeb75d3090054817ea4df0773afe35 |
| SHA1 | 58c543a84dc18e21d86ad2c011d8ac726867fb78 |
| SHA256 | 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822 |
| SHA512 | f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c |
C:\Windows\SysWOW64\winwdgv3.dll
| MD5 | 0aed8f70a00060f8005efa8d1c668b98 |
| SHA1 | c75fe3d1a2476da55f526d366f73bedbfd56f32a |
| SHA256 | 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671 |
| SHA512 | 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787 |
C:\Windows\system32\winwdgv364.dll
| MD5 | 889482a07ba13fc6e194a63d275a850a |
| SHA1 | 16a164fded3352abb63722a5c74750cdc438f99a |
| SHA256 | 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0 |
| SHA512 | e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a |
C:\Windows\SysWOW64\winoav3.dll
| MD5 | 3ae42cb8a028c5be3f57575342bbb56d |
| SHA1 | 2939396b9069d4b46febc047b13ce2c30de7e886 |
| SHA256 | 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609 |
| SHA512 | f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24 |
memory/4756-278-0x00000000018D0000-0x00000000026FC000-memory.dmp
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 060a95870c44f2f006d4230cb631647b |
| SHA1 | 4717872a694141655512617614e9dffd0c0c671f |
| SHA256 | 30834e63dfef0fba60ac08c3d4d6a2f51526c7a57f06d7e7633d45acf55def08 |
| SHA512 | 009586ebbe1615cd143e9f7c4a11b3854d5c9f3451a98fc9be4bc41deffa05d190294a9eb6bddf5df936247eb1cd1a972769c9b5faacbed12724e298badfd3b9 |
C:\Windows\SysWOW64\Ocular\msodhash3.dat
| MD5 | 9939bdd951897c8a48769f2e18be5397 |
| SHA1 | d3a9640400bf4175c2d560fb450fa6b723775636 |
| SHA256 | e7243c8ab50e2d1174030638045ab50e6ec9d2e9537d72cf3e76b6e0b3348fc1 |
| SHA512 | 4e94c57a276f2feb5e74e1b6f376085de88a6b0cbfdbf77634e1c85ebf514473b150e677a60b9ff3621d9fc21ba3fcd2ad90c91b633a2dff13cb1933ca80a059 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 325df174fb0782239682c04e057c4c2e |
| SHA1 | 02e88669efcbc8e77c49ea838ad3368342dda76f |
| SHA256 | 35bc622557bbbe243a8e2c04c9ac9340272b47973a3afabd2585d9ee44fa6a7f |
| SHA512 | 2d2148c0dcfeff9ff1949d3b82bc4e808cd985b96e1a70e36aa7b06095a2580e9d69a670669aee18a2c1a3e7dbc268d41a4bce56ef4de1fffa8d68d827c0e3f2 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | 92b241f1481f7308fec1d8cf8ee1a06d |
| SHA1 | 0ad29126c63d1692f7608289475a2ba3f986b7e3 |
| SHA256 | a86c106a60bf075debe285a6d3cb17523ca9b0c8a5609ff5ec5c32908d8617ff |
| SHA512 | 8d9d98d56d96aca2002c301e25833871447a6f860f2558f144b5fa747d059e6502bcd383ba4bf24cea42503043c1a5c58a65c89e703f10725f3a837cbe8bbea6 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | 83a930a7c95cc68951fe960e55e3f5c9 |
| SHA1 | 537d523129a792d2062cc4fca8e8d5f13f7b0912 |
| SHA256 | 493fb7a677670d5e2f34022b176c27167ea5d2a2d36afcc60d5d7177dd0bb415 |
| SHA512 | 74b293a59793d250670b0430a21af32e9bef4d054db1b1e6a10aa09906a56999a36d9cffeffa5dcbc2bb770bf5468ccde674bb9860d281f01ac6e8ac0a18fc4f |
C:\Windows\win.ini
| MD5 | 5daaf0f34045e6dabc6e59dab1a7ac9f |
| SHA1 | 2814e7f9a81392bfca7d103563fb9739cd39532d |
| SHA256 | 84d9937dc17d4157c0acfb2fbe2450a09888dfd6b56a08f48c671080b76e3c32 |
| SHA512 | 22cb72df8d8cbc993f868fa6bfb05f4cf88fdc05efde13e65eed6cf9c9f9b4071a4c9d8c9908cb98da686e3783f6fb31117e9cbd01411b2d91942b35d9497cc2 |
C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat
| MD5 | 802914edc8dec4d5414de5bb98601d40 |
| SHA1 | 13fe97de7e7593781a472d95324303e34eab552b |
| SHA256 | 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947 |
| SHA512 | 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 3144ced0652027e1a505967dae0720ee |
| SHA1 | 752e7f4987a114c896e5ac7ac167b6070b42280e |
| SHA256 | f620ff40e6a02f00fece685b5824bfa8a803953947aac082f14589ab7735b57b |
| SHA512 | b3fa392efef59de6d3b90efe32eb5d1baec5e1d8d1fdc905976ac7cd6259a2a873e4436125d26eb9c48607fa5ac49eb61c48e8c3a984d8ef23b88c89ce8b57d4 |
C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
| MD5 | c65f746d55d47f9713a4b1756c441838 |
| SHA1 | 1161f92d203b43c2c1949cbeebc1dc4d1962eb29 |
| SHA256 | b87182c052c2bd44f743b22cad39b8c18ca16d166734eae7a1af1a75caa2e148 |
| SHA512 | a14025e1c15586d14ab99bef82f340b605992513724cc05f47d6d693e3b088a63c483054dc953dcc5ddf6a0ce5e7ad5391abd448dbc8c227dfeb70e9be61d341 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 07bb1eef573ac5d36aabae55b997201d |
| SHA1 | 6e988cb0dd14bd36b5eae5670aa0623f7bc3e69d |
| SHA256 | 6b415ecaa5a274874c643a8139299504ad9a3e577d098cee74f16bb1966dd553 |
| SHA512 | da56a20b7772f59ebbd87affcd1ffa029854d95b5bf65a5eac2f5f3370ce84b2fdf2decf4bcde12b23457d133c8b273c4d85674f956d82f6a2246a8a762cca8c |
C:\Windows\win.ini
| MD5 | 2f8cec36a057f241243de87776687f98 |
| SHA1 | 54b4660c18cfccf7f66ffae207c982bda8efbd1d |
| SHA256 | 8d5902e43db821b33bd525085e5574c23c294ebfdc8d2dc7ca1931079895b4a4 |
| SHA512 | 36e1aabdd91fb6ed1f61408dbc0a2775b706845d591122d32b93f8a912e48e4b23ec16793860b6b24e17e1343ed316838d052f996e99589cd4ba36683bc07f01 |
C:\Windows\SysWOW64\Ocular\msagentclass.dat
| MD5 | 1ed50f90f5d6ae13c1eb365e7ddd174c |
| SHA1 | 21372ee1cfc925d3926e7ba16bfd032c9a440194 |
| SHA256 | 49ca672d8cf488a80d71508d078484554b8da1deffd78dafd0a15cc9041524c6 |
| SHA512 | a79cc841614aa3d7f18fa1a9d5d205be3aa59e2005ebcb0146aa3139d631acd685f76d949b21e1457d8937e56f7d46c507d3d3548b9aec2d5de2f7b3b5efcd4c |
C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass2.dat
| MD5 | b4c5a731de7aafc9a8dece224e0db819 |
| SHA1 | 190077d8d59260ec8362b8ef35c6b697dc8ed400 |
| SHA256 | c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37 |
| SHA512 | 120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98 |
C:\Windows\SysWOW64\Ocular\msmailboxidentify.dat
| MD5 | bf777b127ee66875e2b08174b00bbc07 |
| SHA1 | 02ef38eb3fad07cc2e795e33dae9ad44cc1de976 |
| SHA256 | 35c1ab113184120707b157d06e26ae834a48914ea0e313ea74efdebc7ba2e059 |
| SHA512 | 5f03fb5d7d8a3286452dc9d71e0f8369835c172c2179ca94fc81dddeeb9f17f4404aeb2ea3c483809111cbe3f8741ad2c513a239e303b09f46e0230ec926db07 |
C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat
| MD5 | b2a694142b2b98f1c5b41f6d28d02ce6 |
| SHA1 | 547ce4e42bbe81a358d6866a1a5b194ee2d5720e |
| SHA256 | 21f56710a7667c48fd5993a2b42aeee519527bfd36075ba0a11dfc0bec583f0e |
| SHA512 | 6cdb6417ba0ad61aa13fe9e27e33bbb4ea29da37969459a9ef5ed054c2822139dda1e7c2f00fba5d43683ddc7603546fa610e813c9f76dc34067d3cce7a14e9c |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | f4470b6b433c0972b6287e59b3122f69 |
| SHA1 | 4c8bfd22c44fda2871072546e8921ac339f93b16 |
| SHA256 | 604974ed5942bd43db91fb76c74b587a2ccf4671a264ea471b0837b3e714409b |
| SHA512 | b39abcf2d0fa45886be71b644cfc98c685346dbaf887e2ee9c30046bee8b627af61c1202fd39dbd550173c4ba331dec47843e3f5d2e36f995c227fe132c91196 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 7dec65a645f910deda8d66203d73c31f |
| SHA1 | 30d4e13771f9b4008a68f9999dca6cccc042529d |
| SHA256 | adef1da6ab02908c71912bca3f252b54b8b35426ef5ac987710fccc09ade156c |
| SHA512 | b1d19087e03875486c547a9a81c6c0539136a49c22c07a99bb0c3bdfbe172c476b065bfe4862e513d36e0fc91f0d8a284d74677ff7e9ea433a2d6ced64c8d6b8 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240215-en
Max time kernel
121s
Max time network
130s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 844 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1
Network
N/A
Files
N/A
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win10v2004-20240508-en
Max time kernel
128s
Max time network
131s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 5028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 5028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 5028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-11 06:17
Reported
2024-05-11 06:20
Platform
win7-20240508-en
Max time kernel
120s
Max time network
127s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1524 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1
Network
N/A
Files
N/A