Malware Analysis Report

2024-09-09 12:19

Sample ID 240511-g2a48acf34
Target 3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944
SHA256 3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944
Tags
bootkit evasion persistence oss_ak
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944

Threat Level: Likely malicious

The file 3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944 was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence oss_ak

detect oss ak

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies system certificate store

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-11 06:17

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240215-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWow64\winrdlv3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWow64\winrdlv3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\Config\p2p_common.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1045.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent\764 C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_5_11_6_18_3_259405716_2_3_18467 C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\OPolicy.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\imageformats\qsvg.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\imageformats\qwbmp.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\OAgent.ini C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_5_11_6_18_3_259405716_3_3_6334 C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\Deploy C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1007.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\h_1.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\platforminputcontexts\qtvirtualkeyboardplugin.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-shcore-scaling-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
File created C:\Windows\SysWOW64\imageformats\qjpeg.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\imageformats\qtiff.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_native.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\libssh2.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt\labs\folderlistmodel\plugins.qmltypes C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1023.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\imageformats\qgif.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\WinPatch C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_5_11_6_18_10_259412455_3_3_18467 C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_5_11_6_18_12_259414514_5_3_6334 C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1004.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\h_2.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Ocular\msagentclass.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Display.AMD.20150715.Scindex C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\dgpver.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\knewuplive.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt\labs\platform\plugins.qmltypes C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_debugger.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Qt5Svg.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt5WebChannel.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw2_1001.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1024.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1015.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1046.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\platforms\qwindows.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\dbph.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\otherfile_icon.png C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw2_1004.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_inspector.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\OBtEmulator C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\officetemplate.kid C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\Download C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\OPolicy.ini C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\360zip\360zipver.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\systecv3.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Program Files (x86)\Common Files\System\systecv3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\bakwdgv3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File created C:\Windows\bakoav3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File created C:\Windows\LInstSvr.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\bakrdgv3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\bakrdlv3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\bakstec3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\bakwdgv364.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\win.ini C:\Windows\SysWow64\winrdlv3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWow64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWow64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWow64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\SysWow64\winrdlv3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471755147" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000030004600330046004600460046004600300046003000300030003300300030000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c292db67d00000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200051004d00300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000d22a4ff6eed800000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 52c3dfe6ae2de640 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65812" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65655" C:\Windows\SysWow64\winrdlv3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWow64\winrdlv3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWow64\winrdlv3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2872 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2872 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2872 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2804 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1860 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1860 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1860 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2804 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2804 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2804 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2804 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 868 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 868 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 868 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 868 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2804 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2804 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2804 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2804 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2128 wrote to memory of 764 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2128 wrote to memory of 764 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2128 wrote to memory of 764 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2128 wrote to memory of 764 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2804 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2804 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2804 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2804 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 764 wrote to memory of 2972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Windows\SysWow64\winrdlv3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe

"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Program Files (x86)\Common Files\System\systecv3.exe

"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"

C:\Windows\SysWow64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE

C:\Windows\SysWow64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32

C:\Windows\SysWOW64\winrdlv3.exe

"C:\Windows\system32\winrdlv3.exe" SW_HIDE

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s trmenushl64.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
HK 206.238.199.139:8237 tcp

Files

\Users\Admin\AppData\Local\Temp\nst1BBC.tmp\nsProcess.dll

MD5 88d3e48d1c1a051c702d47046ade7b4c
SHA1 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA256 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA512 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

\Users\Admin\AppData\Local\Temp\nst1BBC.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nst1BBC.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Program Files (x86)\Common Files\System\systecv3.exe

MD5 b9e0a7cbd7fdb4d179172dbdd453495a
SHA1 7f1b18a2bee7defa6db4900982fd3311aabed50d
SHA256 cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce
SHA512 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

C:\Windows\win.ini

MD5 91c92ac90e74a5dc2d3edd6579870f16
SHA1 720064d5eb301f2154ecb9cb9318ba91034b067a
SHA256 3357fd467ef2d825eafd2f2d20508bf8f6c16eb0c1dacbb9ae6e528607098f78
SHA512 79d153389988c7693e5c5a9cf311f12c6c69dc7d77f4b9dc25fda8ad214ee8148ea6e721604d136d1f2ff10828d8f78c317a7b0e2ce2a0d44b55aa3f2e0a6aa8

C:\Windows\SysWow64\bakrdgv3.sys

MD5 97ac3ef2e098c4cb7dd6ec1d14dc28f1
SHA1 3e78e87eefe45f8403e46d94713b6667aee6d9c9
SHA256 a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1
SHA512 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

C:\Windows\SysWOW64\winrdlv3.exe

MD5 0cbeb75d3090054817ea4df0773afe35
SHA1 58c543a84dc18e21d86ad2c011d8ac726867fb78
SHA256 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822
SHA512 f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

C:\Windows\SysWOW64\winwdgv3.dll

MD5 0aed8f70a00060f8005efa8d1c668b98
SHA1 c75fe3d1a2476da55f526d366f73bedbfd56f32a
SHA256 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671
SHA512 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

C:\Windows\system32\winwdgv364.dll

MD5 889482a07ba13fc6e194a63d275a850a
SHA1 16a164fded3352abb63722a5c74750cdc438f99a
SHA256 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0
SHA512 e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

C:\Windows\bakoav3.sys

MD5 3ae42cb8a028c5be3f57575342bbb56d
SHA1 2939396b9069d4b46febc047b13ce2c30de7e886
SHA256 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609
SHA512 f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

memory/2128-253-0x0000000002E00000-0x0000000003C2C000-memory.dmp

C:\Windows\SysWow64\Ocular\OAgent.ini

MD5 060a95870c44f2f006d4230cb631647b
SHA1 4717872a694141655512617614e9dffd0c0c671f
SHA256 30834e63dfef0fba60ac08c3d4d6a2f51526c7a57f06d7e7633d45acf55def08
SHA512 009586ebbe1615cd143e9f7c4a11b3854d5c9f3451a98fc9be4bc41deffa05d190294a9eb6bddf5df936247eb1cd1a972769c9b5faacbed12724e298badfd3b9

C:\Windows\SysWow64\Ocular\msodhash3.dat

MD5 9939bdd951897c8a48769f2e18be5397
SHA1 d3a9640400bf4175c2d560fb450fa6b723775636
SHA256 e7243c8ab50e2d1174030638045ab50e6ec9d2e9537d72cf3e76b6e0b3348fc1
SHA512 4e94c57a276f2feb5e74e1b6f376085de88a6b0cbfdbf77634e1c85ebf514473b150e677a60b9ff3621d9fc21ba3fcd2ad90c91b633a2dff13cb1933ca80a059

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 eaf9ddec9e92277b04267ed338024723
SHA1 5e20a503bae8967988fa339822361d9132a7cf65
SHA256 cd10b17c7677023fe2ecf462509859de5e8b5cfe830ba71396c6639499a11583
SHA512 2302424c6082ebf0d95b1fb1db0fd3eb92c6010669ba7acbf855105fe953e1bccfc966cdfc19fa581b98c7e109eb7c4ae6e7d0061d14593889f7245bca9250c2

C:\Windows\SysWow64\Ocular\OPolicy.ini

MD5 92b241f1481f7308fec1d8cf8ee1a06d
SHA1 0ad29126c63d1692f7608289475a2ba3f986b7e3
SHA256 a86c106a60bf075debe285a6d3cb17523ca9b0c8a5609ff5ec5c32908d8617ff
SHA512 8d9d98d56d96aca2002c301e25833871447a6f860f2558f144b5fa747d059e6502bcd383ba4bf24cea42503043c1a5c58a65c89e703f10725f3a837cbe8bbea6

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 7283fb584d9bb9ca700796c2b3bc9165
SHA1 ed1d72488146f29eaaea26eeb1baa335d3abd25a
SHA256 c1ba97b0f123fa5a774b85b84161e649dde404fcb119bef040575b7fa46185e6
SHA512 a16b90640567aee9a23ff167415e567f1f4d378069889c5d6ceedbd8afcb8acb6c350c2aa603328ca07eb52d1971d88569d17588987b37053e688729f244f655

C:\Windows\SysWow64\Ocular\msmidtierserverclass3.dat

MD5 802914edc8dec4d5414de5bb98601d40
SHA1 13fe97de7e7593781a472d95324303e34eab552b
SHA256 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947
SHA512 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat

MD5 c65f746d55d47f9713a4b1756c441838
SHA1 1161f92d203b43c2c1949cbeebc1dc4d1962eb29
SHA256 b87182c052c2bd44f743b22cad39b8c18ca16d166734eae7a1af1a75caa2e148
SHA512 a14025e1c15586d14ab99bef82f340b605992513724cc05f47d6d693e3b088a63c483054dc953dcc5ddf6a0ce5e7ad5391abd448dbc8c227dfeb70e9be61d341

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 5239bc5e5f376a51423a6de8e51f8e1c
SHA1 289aa0bf2e173f5617e954df4b72a1754456b49b
SHA256 d1011bfa513d0aba1038f06bd784c6d7a0f20a2bc801e8f6cb2669206521ebe8
SHA512 392101b53d7f7e6a0555771004a1341ca35ab50f608b66bf40953850e36a5923e68bf47e35a803fac8a2d1fe6835004d592babfe4f2e9f98c8ccc095d49cb2e1

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 38a545d5c11fece9314b82a2528cab61
SHA1 c9371b52653ac7bd62ad701bcf7a2fd823774423
SHA256 c46d3e307d59eec52d46cca1d9edfcc1a11ead89613b6993e3c29b71e7c54433
SHA512 086374453c317290fd651e8e2d737a041b1a74f8b7e8a822eb47dacfcf412d42aab159a4f706a06bc68c67770bd30e1ebec3fd38af87b881c4a34c49d4ac1fb6

C:\Windows\win.ini

MD5 d987b8ee310dc369bd69b46a64cf6ddd
SHA1 8ba4ce89b73fa20726895d13c078ed7bd46485d2
SHA256 5a5d8fe37ac74c37c22e3a3b256f2c30d2f0361df26d0b3b93757ad6cb74d5f0
SHA512 7c13e0884d538d885e5bafa435f2dea78d72d2db203c6a2292e8539279b50d3661830f27dfdf008c736499378f43c3a97382ad79a6afc5c38ff0f3291cd860fa

C:\Windows\win.ini

MD5 eb8c51ac7de1e34b227aa1cfa0b2b4f4
SHA1 08ecd3f4988ed7310647cc4f8fb0c7ab26911e2c
SHA256 b7943d4226e1b06b7fe32c641d1d3cf027db3d197d7fa00fe9dfe4068798a2bf
SHA512 a5c416173961c1e09bc5cdda68f89024536c19e663f5914788f34d59f033daa618e58311b257d0faef72e31975cb0c21a417b497ea60d5be8297cc93b2d98994

C:\Windows\SysWow64\Ocular\msagentclass.dat

MD5 1ed50f90f5d6ae13c1eb365e7ddd174c
SHA1 21372ee1cfc925d3926e7ba16bfd032c9a440194
SHA256 49ca672d8cf488a80d71508d078484554b8da1deffd78dafd0a15cc9041524c6
SHA512 a79cc841614aa3d7f18fa1a9d5d205be3aa59e2005ebcb0146aa3139d631acd685f76d949b21e1457d8937e56f7d46c507d3d3548b9aec2d5de2f7b3b5efcd4c

C:\Windows\SysWow64\Ocular\msusersystemservercfgclass2.dat

MD5 b4c5a731de7aafc9a8dece224e0db819
SHA1 190077d8d59260ec8362b8ef35c6b697dc8ed400
SHA256 c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37
SHA512 120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98

C:\Windows\SysWow64\Ocular\msmailboxidentify.dat

MD5 bf777b127ee66875e2b08174b00bbc07
SHA1 02ef38eb3fad07cc2e795e33dae9ad44cc1de976
SHA256 35c1ab113184120707b157d06e26ae834a48914ea0e313ea74efdebc7ba2e059
SHA512 5f03fb5d7d8a3286452dc9d71e0f8369835c172c2179ca94fc81dddeeb9f17f4404aeb2ea3c483809111cbe3f8741ad2c513a239e303b09f46e0230ec926db07

C:\Windows\SysWow64\Ocular\msmailboxcalss.dat

MD5 b2a694142b2b98f1c5b41f6d28d02ce6
SHA1 547ce4e42bbe81a358d6866a1a5b194ee2d5720e
SHA256 21f56710a7667c48fd5993a2b42aeee519527bfd36075ba0a11dfc0bec583f0e
SHA512 6cdb6417ba0ad61aa13fe9e27e33bbb4ea29da37969459a9ef5ed054c2822139dda1e7c2f00fba5d43683ddc7603546fa610e813c9f76dc34067d3cce7a14e9c

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 e3e926962b0ac5627e917820702076a5
SHA1 8d1b90b5ad74cdf50761dc6feb8e5eacf8198ecc
SHA256 650b2b8035a1e6a76f2f41a554c6c8e85a216465d9d8b3343ff9f665debc402d
SHA512 5fe052b80db86c6209de6fef820ad66b89f658f38eca9c70abd2273aaa5ea8019bf4d268b3bfb4ad755e5a2a516f4ede750384d8569ebf859882abf913c918e5

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 bb69cb028e395439341e588826688bd5
SHA1 dfbb5d0e9a861b8223bcd5d41e300878acca2490
SHA256 33a98e019d586a4f0fc071041293db84ad93741d1f39ec3790c827785697060c
SHA512 2234e99d7d23e0afd9d2e94e501679dfc1212a6aaca3f94175dcfebefc56edd611fde47ece7cbe223674cec2e468de5245d213c9611488af508c99663bff7611

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20231129-en

Max time kernel

119s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240221-en

Max time kernel

120s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240220-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4472 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4472 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3116 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3116 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3116 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 2396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\winrdlv3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\winrdlv3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Qt5WebEngine.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\test30frames_1080p_ld2.265 C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\uvcon.cfg C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1020.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1025.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\imageformats\qicns.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\Download C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\OAgent.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_11_6_18_7_240622046_1_3_41 C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_11_6_18_4_240618671_4_3_26500 C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt5SerialPort.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\otherfile_icon.png C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\bearer\qgenericbearer.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1029.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\dt_3.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt5Svg.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1044.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_5_11_6_18_4_240618656_2_3_18467 C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1010.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt5Positioning.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Qt\labs\folderlistmodel\qmldir C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1033.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\bakstec3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1001.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1024.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\Dump C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\Screen C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\Config\p2p_common.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_profiler.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\officetemplate.kid C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\winoav3.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\FtTemp C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\winrdlv3.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\dt_4.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\bakstec3.sys C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\msagentclass.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw2_1002.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\zdefaultskin\zMiniUI.xml C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\imageformats\qgif.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\PrintData C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\bakrdgv3.sys C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\OBtEmulator C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1036.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1023.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1030.dat C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\TSafeDoc C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\SCDT\DocLog C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata_2024_5_11_6_18_10_240624296_3_3_18467 C:\Windows\SysWOW64\winrdlv3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File created C:\Program Files (x86)\Common Files\System\systecv3.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bakrdgv3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\bakwdgv3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\win.ini C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\bakoav3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\bakrdlv3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\bakstec3.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\bakwdgv364.sys C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File created C:\Windows\LInstSvr.exe C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Windows\SysWOW64\winrdlv3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+ C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+ C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\SysWOW64\winrdlv3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65655" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471755147" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c292db67d00000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000eaa3b7af2fc100000000000000000000000000000000000000000000000000000000000000000000000000000000000052c3dfe6ae2de640 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 52c3dfe6ae2de640 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000030004600330046004600460046004600300046003000300030003300300030000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65813" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winrdlv3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 904 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 904 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1736 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1736 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 1736 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 1736 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 1736 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 1736 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 1736 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 3464 wrote to memory of 4756 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 3464 wrote to memory of 4756 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 3464 wrote to memory of 4756 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1736 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1736 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1736 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 4756 wrote to memory of 2692 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 4756 wrote to memory of 2692 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 4756 wrote to memory of 2692 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2692 wrote to memory of 4332 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2692 wrote to memory of 4332 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe

"C:\Users\Admin\AppData\Local\Temp\3fa4c62861f73439e7c877b096a64a5e3fe6057fd07b7a508252b6bceeb04944.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Program Files (x86)\Common Files\System\systecv3.exe

"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE

C:\Windows\SysWOW64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32

C:\Windows\SysWOW64\winrdlv3.exe

"C:\Windows\system32\winrdlv3.exe" SW_HIDE

C:\Windows\SysWOW64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s trmenushl64.dll

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
HK 206.238.199.139:8237 tcp
US 8.8.8.8:53 139.199.238.206.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\nsProcess.dll

MD5 88d3e48d1c1a051c702d47046ade7b4c
SHA1 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA256 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA512 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsr65A0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Program Files (x86)\Common Files\System\systecv3.exe

MD5 b9e0a7cbd7fdb4d179172dbdd453495a
SHA1 7f1b18a2bee7defa6db4900982fd3311aabed50d
SHA256 cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce
SHA512 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

C:\Windows\win.ini

MD5 91c92ac90e74a5dc2d3edd6579870f16
SHA1 720064d5eb301f2154ecb9cb9318ba91034b067a
SHA256 3357fd467ef2d825eafd2f2d20508bf8f6c16eb0c1dacbb9ae6e528607098f78
SHA512 79d153389988c7693e5c5a9cf311f12c6c69dc7d77f4b9dc25fda8ad214ee8148ea6e721604d136d1f2ff10828d8f78c317a7b0e2ce2a0d44b55aa3f2e0a6aa8

C:\Windows\bakrdgv3.sys

MD5 97ac3ef2e098c4cb7dd6ec1d14dc28f1
SHA1 3e78e87eefe45f8403e46d94713b6667aee6d9c9
SHA256 a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1
SHA512 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

C:\Windows\SysWOW64\winrdlv3.exe

MD5 0cbeb75d3090054817ea4df0773afe35
SHA1 58c543a84dc18e21d86ad2c011d8ac726867fb78
SHA256 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822
SHA512 f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

C:\Windows\SysWOW64\winwdgv3.dll

MD5 0aed8f70a00060f8005efa8d1c668b98
SHA1 c75fe3d1a2476da55f526d366f73bedbfd56f32a
SHA256 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671
SHA512 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

C:\Windows\system32\winwdgv364.dll

MD5 889482a07ba13fc6e194a63d275a850a
SHA1 16a164fded3352abb63722a5c74750cdc438f99a
SHA256 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0
SHA512 e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

C:\Windows\SysWOW64\winoav3.dll

MD5 3ae42cb8a028c5be3f57575342bbb56d
SHA1 2939396b9069d4b46febc047b13ce2c30de7e886
SHA256 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609
SHA512 f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

memory/4756-278-0x00000000018D0000-0x00000000026FC000-memory.dmp

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 060a95870c44f2f006d4230cb631647b
SHA1 4717872a694141655512617614e9dffd0c0c671f
SHA256 30834e63dfef0fba60ac08c3d4d6a2f51526c7a57f06d7e7633d45acf55def08
SHA512 009586ebbe1615cd143e9f7c4a11b3854d5c9f3451a98fc9be4bc41deffa05d190294a9eb6bddf5df936247eb1cd1a972769c9b5faacbed12724e298badfd3b9

C:\Windows\SysWOW64\Ocular\msodhash3.dat

MD5 9939bdd951897c8a48769f2e18be5397
SHA1 d3a9640400bf4175c2d560fb450fa6b723775636
SHA256 e7243c8ab50e2d1174030638045ab50e6ec9d2e9537d72cf3e76b6e0b3348fc1
SHA512 4e94c57a276f2feb5e74e1b6f376085de88a6b0cbfdbf77634e1c85ebf514473b150e677a60b9ff3621d9fc21ba3fcd2ad90c91b633a2dff13cb1933ca80a059

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 325df174fb0782239682c04e057c4c2e
SHA1 02e88669efcbc8e77c49ea838ad3368342dda76f
SHA256 35bc622557bbbe243a8e2c04c9ac9340272b47973a3afabd2585d9ee44fa6a7f
SHA512 2d2148c0dcfeff9ff1949d3b82bc4e808cd985b96e1a70e36aa7b06095a2580e9d69a670669aee18a2c1a3e7dbc268d41a4bce56ef4de1fffa8d68d827c0e3f2

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 92b241f1481f7308fec1d8cf8ee1a06d
SHA1 0ad29126c63d1692f7608289475a2ba3f986b7e3
SHA256 a86c106a60bf075debe285a6d3cb17523ca9b0c8a5609ff5ec5c32908d8617ff
SHA512 8d9d98d56d96aca2002c301e25833871447a6f860f2558f144b5fa747d059e6502bcd383ba4bf24cea42503043c1a5c58a65c89e703f10725f3a837cbe8bbea6

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 83a930a7c95cc68951fe960e55e3f5c9
SHA1 537d523129a792d2062cc4fca8e8d5f13f7b0912
SHA256 493fb7a677670d5e2f34022b176c27167ea5d2a2d36afcc60d5d7177dd0bb415
SHA512 74b293a59793d250670b0430a21af32e9bef4d054db1b1e6a10aa09906a56999a36d9cffeffa5dcbc2bb770bf5468ccde674bb9860d281f01ac6e8ac0a18fc4f

C:\Windows\win.ini

MD5 5daaf0f34045e6dabc6e59dab1a7ac9f
SHA1 2814e7f9a81392bfca7d103563fb9739cd39532d
SHA256 84d9937dc17d4157c0acfb2fbe2450a09888dfd6b56a08f48c671080b76e3c32
SHA512 22cb72df8d8cbc993f868fa6bfb05f4cf88fdc05efde13e65eed6cf9c9f9b4071a4c9d8c9908cb98da686e3783f6fb31117e9cbd01411b2d91942b35d9497cc2

C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat

MD5 802914edc8dec4d5414de5bb98601d40
SHA1 13fe97de7e7593781a472d95324303e34eab552b
SHA256 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947
SHA512 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 3144ced0652027e1a505967dae0720ee
SHA1 752e7f4987a114c896e5ac7ac167b6070b42280e
SHA256 f620ff40e6a02f00fece685b5824bfa8a803953947aac082f14589ab7735b57b
SHA512 b3fa392efef59de6d3b90efe32eb5d1baec5e1d8d1fdc905976ac7cd6259a2a873e4436125d26eb9c48607fa5ac49eb61c48e8c3a984d8ef23b88c89ce8b57d4

C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat

MD5 c65f746d55d47f9713a4b1756c441838
SHA1 1161f92d203b43c2c1949cbeebc1dc4d1962eb29
SHA256 b87182c052c2bd44f743b22cad39b8c18ca16d166734eae7a1af1a75caa2e148
SHA512 a14025e1c15586d14ab99bef82f340b605992513724cc05f47d6d693e3b088a63c483054dc953dcc5ddf6a0ce5e7ad5391abd448dbc8c227dfeb70e9be61d341

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 07bb1eef573ac5d36aabae55b997201d
SHA1 6e988cb0dd14bd36b5eae5670aa0623f7bc3e69d
SHA256 6b415ecaa5a274874c643a8139299504ad9a3e577d098cee74f16bb1966dd553
SHA512 da56a20b7772f59ebbd87affcd1ffa029854d95b5bf65a5eac2f5f3370ce84b2fdf2decf4bcde12b23457d133c8b273c4d85674f956d82f6a2246a8a762cca8c

C:\Windows\win.ini

MD5 2f8cec36a057f241243de87776687f98
SHA1 54b4660c18cfccf7f66ffae207c982bda8efbd1d
SHA256 8d5902e43db821b33bd525085e5574c23c294ebfdc8d2dc7ca1931079895b4a4
SHA512 36e1aabdd91fb6ed1f61408dbc0a2775b706845d591122d32b93f8a912e48e4b23ec16793860b6b24e17e1343ed316838d052f996e99589cd4ba36683bc07f01

C:\Windows\SysWOW64\Ocular\msagentclass.dat

MD5 1ed50f90f5d6ae13c1eb365e7ddd174c
SHA1 21372ee1cfc925d3926e7ba16bfd032c9a440194
SHA256 49ca672d8cf488a80d71508d078484554b8da1deffd78dafd0a15cc9041524c6
SHA512 a79cc841614aa3d7f18fa1a9d5d205be3aa59e2005ebcb0146aa3139d631acd685f76d949b21e1457d8937e56f7d46c507d3d3548b9aec2d5de2f7b3b5efcd4c

C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass2.dat

MD5 b4c5a731de7aafc9a8dece224e0db819
SHA1 190077d8d59260ec8362b8ef35c6b697dc8ed400
SHA256 c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37
SHA512 120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98

C:\Windows\SysWOW64\Ocular\msmailboxidentify.dat

MD5 bf777b127ee66875e2b08174b00bbc07
SHA1 02ef38eb3fad07cc2e795e33dae9ad44cc1de976
SHA256 35c1ab113184120707b157d06e26ae834a48914ea0e313ea74efdebc7ba2e059
SHA512 5f03fb5d7d8a3286452dc9d71e0f8369835c172c2179ca94fc81dddeeb9f17f4404aeb2ea3c483809111cbe3f8741ad2c513a239e303b09f46e0230ec926db07

C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat

MD5 b2a694142b2b98f1c5b41f6d28d02ce6
SHA1 547ce4e42bbe81a358d6866a1a5b194ee2d5720e
SHA256 21f56710a7667c48fd5993a2b42aeee519527bfd36075ba0a11dfc0bec583f0e
SHA512 6cdb6417ba0ad61aa13fe9e27e33bbb4ea29da37969459a9ef5ed054c2822139dda1e7c2f00fba5d43683ddc7603546fa610e813c9f76dc34067d3cce7a14e9c

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 f4470b6b433c0972b6287e59b3122f69
SHA1 4c8bfd22c44fda2871072546e8921ac339f93b16
SHA256 604974ed5942bd43db91fb76c74b587a2ccf4671a264ea471b0837b3e714409b
SHA512 b39abcf2d0fa45886be71b644cfc98c685346dbaf887e2ee9c30046bee8b627af61c1202fd39dbd550173c4ba331dec47843e3f5d2e36f995c227fe132c91196

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 7dec65a645f910deda8d66203d73c31f
SHA1 30d4e13771f9b4008a68f9999dca6cccc042529d
SHA256 adef1da6ab02908c71912bca3f252b54b8b35426ef5ac987710fccc09ade156c
SHA512 b1d19087e03875486c547a9a81c6c0539136a49c22c07a99bb0c3bdfbe172c476b065bfe4862e513d36e0fc91f0d8a284d74677ff7e9ea433a2d6ced64c8d6b8

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240221-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 1460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2992 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 1432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 1432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240215-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

128s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 5028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2580 wrote to memory of 5028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2580 wrote to memory of 5028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4652 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4652 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4652 wrote to memory of 4792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5952 wrote to memory of 5388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5952 wrote to memory of 5388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5952 wrote to memory of 5388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5388 -ip 5388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 1392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 1392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 1392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 3852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 3852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 3852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win10v2004-20240226-en

Max time kernel

109s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5100 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5100 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 1184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-11 06:17

Reported

2024-05-11 06:20

Platform

win7-20240508-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Network

N/A

Files

N/A