31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
Size

13.6MB
MD5

6b4517207feb4de39ab3fd702bdb7287
SHA1

59da9861323d5b1c9308e5272436b53c138494a4
SHA256

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14
SHA512

f16fb22de5842a191db72ec747c667bcf05059abe03a8ab948a9e616c0a39ccc126cec3bd7b0e631ba7542b5eec97154856902c59a5cb04890afae99a43d9da0
SSDEEP

393216:uX3gUfZgh5sqbgpD+wRsB7CiY0SQZDdQ0KJAUxf38bG:uAUQsmgJ+wQ9YDCC0KGO3oG

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2848 netsh.exe
2320 netsh.exe
Executes dropped EXE 6 IoCs

Processes:

systecv3.exewinrdgv3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exewinrdlv3.exe

pid process

688 systecv3.exe
2140 winrdgv3.exe
1684 winrdgv3.exe
920 winrdlv3.exe
1328 winrdlv3.exe
2016 winrdlv3.exe

pid	process
2848	netsh.exe
2320	netsh.exe

pid	process
688	systecv3.exe
2140	winrdgv3.exe
1684	winrdgv3.exe
920	winrdlv3.exe
1328	winrdlv3.exe
2016	winrdlv3.exe

Loads dropped DLL 16 IoCs

Processes:

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exewinrdgv3.exewinrdlv3.exewinrdlv3.exe

pid	process
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2140	winrdgv3.exe
1328	winrdlv3.exe
1328	winrdlv3.exe
2016	winrdlv3.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winrdlv3.exe

description	ioc	process
File opened (read-only)	\??\O:	winrdlv3.exe
File opened (read-only)	\??\I:	winrdlv3.exe
File opened (read-only)	\??\G:	winrdlv3.exe
File opened (read-only)	\??\P:	winrdlv3.exe
File opened (read-only)	\??\T:	winrdlv3.exe
File opened (read-only)	\??\D:	winrdlv3.exe
File opened (read-only)	\??\Y:	winrdlv3.exe
File opened (read-only)	\??\Z:	winrdlv3.exe
File opened (read-only)	\??\B:	winrdlv3.exe
File opened (read-only)	\??\J:	winrdlv3.exe
File opened (read-only)	\??\Q:	winrdlv3.exe
File opened (read-only)	\??\V:	winrdlv3.exe
File opened (read-only)	\??\X:	winrdlv3.exe
File opened (read-only)	\??\H:	winrdlv3.exe
File opened (read-only)	\??\U:	winrdlv3.exe
File opened (read-only)	\??\W:	winrdlv3.exe
File opened (read-only)	\??\A:	winrdlv3.exe
File opened (read-only)	\??\K:	winrdlv3.exe
File opened (read-only)	\??\R:	winrdlv3.exe
File opened (read-only)	\??\E:	winrdlv3.exe
File opened (read-only)	\??\M:	winrdlv3.exe
File opened (read-only)	\??\F:	winrdlv3.exe
File opened (read-only)	\??\N:	winrdlv3.exe
File opened (read-only)	\??\S:	winrdlv3.exe
File opened (read-only)	\??\L:	winrdlv3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

winrdlv3.exe

description ioc process

File opened for modification \??\PhysicalDrive0 winrdlv3.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	winrdlv3.exe

Drops file in System32 directory 64 IoCs

Processes:

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exewinrdlv3.exesystecv3.exewinrdgv3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Qt5WebEngine.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1023.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1028.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\TKS\TKSMatch	winrdlv3.exe
File opened for modification	C:\Windows\SysWow64\Ocular3Path\SCDT	winrdlv3.exe
File created	C:\Windows\SysWOW64\crashreport.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1043.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\Ocular\msodhash3.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\apk_icon.png	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\bakrdgv3.sys	systecv3.exe
File opened for modification	C:\Windows\SysWow64\Ocular\Rtft	winrdlv3.exe
File opened for modification	C:\Windows\SysWow64\Ocular\TKS\TKSTemp	winrdlv3.exe
File created	C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_2_11_35_25_259407697_1_3_41	winrdlv3.exe
File created	C:\Windows\SysWOW64\Qt5RemoteObjects.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\dgpver.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\Asset	winrdlv3.exe
File created	C:\Windows\SysWOW64\imageformats\qicns.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass2.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\Qt\labs\platform\qmldir	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw2_1008.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw2_1009.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1020.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1039.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	winrdgv3.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1003.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1021.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\position\qtposition_positionpoll.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent	winrdlv3.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\kpdfconverter.kid	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWOW64\sdcenter.dll	winrdlv3.exe
File created	C:\Windows\SysWOW64\WebEngineProcess.exe	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\bugreport.exe	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1010.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\msodhash3.dat	winrdlv3.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\zdefaultskin\zdefaultskin.ui	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\BroHistory	winrdlv3.exe
File opened for modification	C:\Windows\SysWow64\Ocular3Path\SCDT\SetupAppTemp	winrdlv3.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\otherfile_icon.png	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1015.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\PrintData	winrdlv3.exe
File created	C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_2_11_35_25_259407713_3_3_6334	winrdlv3.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\360zip\360zip.ini	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\dt_2.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\qmltooling\qmldbg_profiler.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\endata\aw_1042.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\Qt5WebChannel.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\SysWOW64\zipnew.dat	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\SysWow64\Ocular\Files	winrdlv3.exe
File created	C:\Windows\SysWOW64\Qt5Svg.dll	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe

Drops file in Program Files directory 3 IoCs

Processes:

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exesystecv3.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\systecv3.exe	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Program Files (x86)\Common Files\System\winrdgv3.exe	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\winrdgv3.exe	systecv3.exe

Drops file in Windows directory 23 IoCs

Processes:

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exesystecv3.exewinrdlv3.exewinrdlv3.exe

description	ioc	process
File created	C:\Windows\bakrdgv3.sys	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\bakwdgv364.sys	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\bakSCClient.dat	systecv3.exe
File opened for modification	C:\Windows\bakDWM.dat	systecv3.exe
File opened for modification	C:\Windows\bakCameraPack.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakDWM.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakCertList.dat	systecv3.exe
File opened for modification	C:\Windows\bakSCClient.dat	winrdlv3.exe
File created	C:\Windows\bakoav3.sys	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\bakstec3.sys	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\bakwdgv3.sys	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\bakTStartMenu.dat	systecv3.exe
File opened for modification	C:\Windows\bakTKSPack.dat	systecv3.exe
File opened for modification	C:\Windows\bakThirdPartyLib.dat	systecv3.exe
File opened for modification	C:\Windows\bakCertList.dat	winrdlv3.exe
File opened for modification	C:\Windows\win.ini	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\win.ini	winrdlv3.exe
File created	C:\Windows\bakrdlv3.sys	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File created	C:\Windows\LInstSvr.exe	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
File opened for modification	C:\Windows\bakCameraPack.dat	systecv3.exe
File opened for modification	C:\Windows\bakTStartMenu.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakTKSPack.dat	winrdlv3.exe
File opened for modification	C:\Windows\bakThirdPartyLib.dat	winrdlv3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winrdlv3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	winrdlv3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	winrdlv3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	winrdlv3.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

winrdlv3.exewinrdgv3.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	winrdlv3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winrdlv3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	winrdlv3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	winrdgv3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winrdgv3.exe

Modifies registry class 20 IoCs

Processes:

winrdlv3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295"	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200051004d00300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000e25bc60b640200000000000000000000000000000000000000000000000000000000000000000000000000000000000044444404732de640	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471754687"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295"	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID	winrdlv3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999"	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c29ac26e700000000000000000000000000000000000000000000000000000000000000000000000000000000000044444404732de640	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1"	winrdlv3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65591"	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 44444404732de640	winrdlv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000	winrdlv3.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

winrdgv3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	winrdgv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	winrdgv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	winrdgv3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	winrdgv3.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exewinrdlv3.exewinrdlv3.exe

pid	process
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
1328	winrdlv3.exe
1328	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
1328	winrdlv3.exe
1328	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
1328	winrdlv3.exe
1328	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
1328	winrdlv3.exe
1328	winrdlv3.exe
2016	winrdlv3.exe
2016	winrdlv3.exe
1328	winrdlv3.exe
1328	winrdlv3.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

480
480
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

systecv3.exewinrdlv3.exe

description pid process

Token: SeDebugPrivilege 688 systecv3.exe
Token: SeTcbPrivilege 2016 winrdlv3.exe
Token: SeDebugPrivilege 2016 winrdlv3.exe

pid	process
480
480

description	pid	process
Token: SeDebugPrivilege	688	systecv3.exe
Token: SeTcbPrivilege	2016	winrdlv3.exe
Token: SeDebugPrivilege	2016	winrdlv3.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.execmd.execmd.exewinrdgv3.exewinrdlv3.exewinrdlv3.exe

description	pid	process	target process
PID 2212 wrote to memory of 1324	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2212 wrote to memory of 1324	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2212 wrote to memory of 1324	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2212 wrote to memory of 1324	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 1324 wrote to memory of 2320	1324	cmd.exe	netsh.exe
PID 1324 wrote to memory of 2320	1324	cmd.exe	netsh.exe
PID 1324 wrote to memory of 2320	1324	cmd.exe	netsh.exe
PID 1324 wrote to memory of 2320	1324	cmd.exe	netsh.exe
PID 2212 wrote to memory of 2260	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2212 wrote to memory of 2260	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2212 wrote to memory of 2260	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2212 wrote to memory of 2260	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	cmd.exe
PID 2260 wrote to memory of 2848	2260	cmd.exe	netsh.exe
PID 2260 wrote to memory of 2848	2260	cmd.exe	netsh.exe
PID 2260 wrote to memory of 2848	2260	cmd.exe	netsh.exe
PID 2260 wrote to memory of 2848	2260	cmd.exe	netsh.exe
PID 2212 wrote to memory of 688	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	systecv3.exe
PID 2212 wrote to memory of 688	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	systecv3.exe
PID 2212 wrote to memory of 688	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	systecv3.exe
PID 2212 wrote to memory of 688	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	systecv3.exe
PID 2212 wrote to memory of 1684	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdgv3.exe
PID 2212 wrote to memory of 1684	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdgv3.exe
PID 2212 wrote to memory of 1684	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdgv3.exe
PID 2212 wrote to memory of 1684	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdgv3.exe
PID 2212 wrote to memory of 920	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdlv3.exe
PID 2212 wrote to memory of 920	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdlv3.exe
PID 2212 wrote to memory of 920	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdlv3.exe
PID 2212 wrote to memory of 920	2212	31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe	winrdlv3.exe
PID 2140 wrote to memory of 1328	2140	winrdgv3.exe	winrdlv3.exe
PID 2140 wrote to memory of 1328	2140	winrdgv3.exe	winrdlv3.exe
PID 2140 wrote to memory of 1328	2140	winrdgv3.exe	winrdlv3.exe
PID 2140 wrote to memory of 1328	2140	winrdgv3.exe	winrdlv3.exe
PID 1328 wrote to memory of 2016	1328	winrdlv3.exe	winrdlv3.exe
PID 1328 wrote to memory of 2016	1328	winrdlv3.exe	winrdlv3.exe
PID 1328 wrote to memory of 2016	1328	winrdlv3.exe	winrdlv3.exe
PID 1328 wrote to memory of 2016	1328	winrdlv3.exe	winrdlv3.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 2228	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe
PID 2016 wrote to memory of 1972	2016	winrdlv3.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

winrdlv3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	winrdlv3.exe

C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
"C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
3⤵
- Modifies Windows Firewall
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
3⤵
- Modifies Windows Firewall
PID:2848

C:\Program Files (x86)\Common Files\System\systecv3.exe
"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWOW64\winrdlv3.exe
"C:\Windows\system32\winrdlv3.exe" SW_HIDE
2⤵
- Executes dropped EXE
PID:920

C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
4⤵
PID:2228

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s /u trmenushl64.dll
4⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LInstSvr.exe
Filesize
413KB

MD5
fb741fceeb80a76f7f0005a1ac60604a

SHA1
a6a8d97365634b266f0b5a001038a5a86b9ed2d6

SHA256
c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1

SHA512
8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
3b5cfa0dee5399ed374e7ea190e17702

SHA1
c284ca1a80cb29751dfa22b8394639cee60fdf20

SHA256
174611360f12c80bed1541c08df888b51fb8b432b7d40a53bee3bcce2f54a4b4

SHA512
32225ab627b31ab06a9171cc01b34b12f2060a51f8e02b31f808f37d8c037c1b58769054dbb3af57e2f5bdd9388240bee63cbc018611894f39feb187d85b018a

Download Submit
C:\Windows\SysWOW64\Ocular\OAgent.ini
Filesize
7KB

MD5
e620702190c9a304112c41e36b43d6b6

SHA1
38ef2495f468644b2d9588fc0fe9408b23415a89

SHA256
56d61b6ae0291a229597d9ac8c964856224de373ec0ae5f9cef2b8b81f893881

SHA512
b9fceabe45db2a1eb0764c408d26a4f1546021b78682dace9c10a1ec4012a41d02b59c46cfd6b92fd8bd8a3a3407fa5db829db146029f309cf5a350f48c4b1eb

Download Submit
C:\Windows\SysWOW64\Ocular\OPolicy.ini
Filesize
7KB

MD5
8d2ff4e0abf08dcff293f9fc9b67a4d3

SHA1
ed409486dd176c8598a45c28f0fecb7f0645c88a

SHA256
0a71f0600dd213e41a456f02dfc2f363166c557469d7cf1492351b71fdb6c45c

SHA512
65b25e7f6c7073ce20ac8af3a8e7361961304e9ac94173d821362e51ca4382a434cd1e1304a98680d7c5f8504cfe83a475ae3ed1138a56a756aa8f88031d598b

Download Submit
C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat
Filesize
32B

MD5
cb8011b1b79f2a807d75bddd80ac6e0e

SHA1
130414054b8e1be7c7a153d7ba48edebeeedbc65

SHA256
cf0869f7602342ad3042ab84cf2de0b5adbd71b3316a062182c7a47c7671a630

SHA512
7cf22ffecbc743c35e5149ad8a404426dde094c0058479273d5a92b8a4bf3f840bd2f4b3f6074331e214d6e6e1d71837f1431c8f6685ae2ad22a68f70f991860

Download Submit
C:\Windows\SysWow64\Ocular\OAgent.ini
Filesize
7KB

MD5
1acb166750b21d9c394ccacfdaa718bc

SHA1
28232adfe22d1aa042ef4534e9a988375537afc9

SHA256
2526e939a30a437cfa4a2b546805f6fc4cc76fdeecf0a5281d1bd85eda78e7df

SHA512
8cbc831caa3d5291f37087c5f38dd917b7c8b6b3ccb3a54ed61292fd505fb1fba68bf8f73fb305cfd19fc6a9bac72ddcf09a1cff2c599bd523c129eb1fc015e1

Download Submit
C:\Windows\SysWow64\Ocular\OPolicy.ini
Filesize
7KB

MD5
b0ad710d556202e4e10ec85de251a05e

SHA1
e3ed531e03631b313586905696d41bd4614206b4

SHA256
cfbe90e8a34e2c62825dd2645a501b895df9b9df30742d818d9121b0e0d0cc1a

SHA512
b18fce2a1f162be627b5721e06db24262c5ffb10ea343cabf9da3577e0942dedac4d350f5f40d0f074e2fe7710744ab9f8c476e4f554eadffde7cb3ab7a0b43a

Download Submit
C:\Windows\SysWow64\Ocular\msmidtierserverclass3.dat
Filesize
132B

MD5
802914edc8dec4d5414de5bb98601d40

SHA1
13fe97de7e7593781a472d95324303e34eab552b

SHA256
01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947

SHA512
64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

Download Submit
C:\Windows\SysWow64\Ocular\msodhash3.dat
Filesize
6KB

MD5
cc6f29a25411edb2c70d8435f65d07e7

SHA1
979d233f6f28be82c13741656ade2267570b370f

SHA256
51181f1ca5c983ae43772423bfa3474a89f146ed2ac8bf9213fe892483382689

SHA512
0f60b4ce017e44b429821d3d6f613ed7b683effc5d38e80a28a042687702cea8febc843bd037af18442a84c77766adef2c8ca890bb42e830814f39e364e1fd59

Download Submit
C:\Windows\SysWow64\winoav3.dll
Filesize
13.7MB

MD5
3ae42cb8a028c5be3f57575342bbb56d

SHA1
2939396b9069d4b46febc047b13ce2c30de7e886

SHA256
0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609

SHA512
f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

Download Submit
C:\Windows\bakrdgv3.sys
Filesize
1.7MB

MD5
97ac3ef2e098c4cb7dd6ec1d14dc28f1

SHA1
3e78e87eefe45f8403e46d94713b6667aee6d9c9

SHA256
a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1

SHA512
693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

Download Submit
C:\Windows\bakrdlv3.sys
Filesize
57KB

MD5
0cbeb75d3090054817ea4df0773afe35

SHA1
58c543a84dc18e21d86ad2c011d8ac726867fb78

SHA256
453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822

SHA512
f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

Download Submit
C:\Windows\bakwdgv3.sys
Filesize
2.1MB

MD5
0aed8f70a00060f8005efa8d1c668b98

SHA1
c75fe3d1a2476da55f526d366f73bedbfd56f32a

SHA256
326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671

SHA512
738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

Download Submit
C:\Windows\system32\winwdgv364.dll
Filesize
1.3MB

MD5
889482a07ba13fc6e194a63d275a850a

SHA1
16a164fded3352abb63722a5c74750cdc438f99a

SHA256
799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0

SHA512
e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

Download Submit
C:\Windows\win.ini
Filesize
1KB

MD5
c92f152bf334d2f075282a47811a4f0b

SHA1
b72210f515a7534b81fb6141ec1fce55a85fd912

SHA256
0d14a2fc3b0e1877869b8fa8fa0709d426cea00ba2a5b4bd39e275afb7dad8db

SHA512
b3a976a74cd0efb69270dd864a75a2569a4f0984eaa47937162f122a8c838d830d8fcf5ad3d16a4f950a870d58b35b89190d9cd30fc232d63bbeac0799f3037c

Download Submit
C:\Windows\win.ini
Filesize
1KB

MD5
6345a57c6cd75d726a838a14ca43ca5b

SHA1
ceeef4a9fbb3ff05c234440c7a655fa9b4222ff3

SHA256
9316406e880835dda9d7a650b28e8d8d687c59cd0f53a9e733e59fe0415e6430

SHA512
5a165c5aab02791ab922bc54f1ccadac47e1b58aa2c366cc62e7afa99527d3e86f31d8e2f8cafdc39a29aa8547ce04ef50eda362d03c5ee8fbda4b44c94edfd9

Download Submit
\Program Files (x86)\Common Files\System\systecv3.exe
Filesize
2.3MB

MD5
b9e0a7cbd7fdb4d179172dbdd453495a

SHA1
7f1b18a2bee7defa6db4900982fd3311aabed50d

SHA256
cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce

SHA512
720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

Download Submit
\Users\Admin\AppData\Local\Temp\nst209C.tmp\System.dll
Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nst209C.tmp\nsExec.dll
Filesize
7KB

MD5
ec9c99216ef11cdd85965e78bc797d2c

SHA1
1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

SHA256
c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

SHA512
35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

Download Submit
\Users\Admin\AppData\Local\Temp\nst209C.tmp\nsProcess.dll
Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
memory/1328-259-0x0000000002EE0000-0x0000000003D0C000-memory.dmp

Filesize
14.2MB

Download