Malware Analysis Report

2024-09-09 12:25

Sample ID 240602-npwzgsce44
Target 31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14
SHA256 31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14
Tags
bootkit evasion persistence oss_ak
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14

Threat Level: Likely malicious

The file 31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14 was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence oss_ak

detect oss ak

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

System policy modification

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-02 11:35

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5012 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5012 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240419-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2488 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 1864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4292 wrote to memory of 1864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4292 wrote to memory of 1864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\platform\qtlabsplatformplugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:38

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlModels.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 4088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1452 wrote to memory of 4088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1452 wrote to memory of 4088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 4908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 4908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 4908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4948 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4948 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 220

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Positioning.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5012 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5012 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240508-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 1456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 1456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 1456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5Svg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\winrdlv3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\winrdlv3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\otherfile_icon.png C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1023.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\dt_2.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\h_1.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_local.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\TKS C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Qt5Svg.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\Mails C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\Download C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\libssh2.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\platforminputcontexts\qtvirtualkeyboardplugin.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\ExData C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\360zip\360zipver.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSMatch C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\SCDT\DocLog C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\OPolicy.ini C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\msagentclass.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\knewuplive.ini C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\BroHistory C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Ocular\msoapphash5.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\cjson.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\imageformats\qtiff.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\platforms\qwindows.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw2_1001.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1024.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1028.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Qt5RemoteObjects.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\msodhash3.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\winrdlv3.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Qt5QmlModels.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1045.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\imageformats\qicns.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\imageformats\qjpeg.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Ocular\msmailboxidentify.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\libeSDKOBS.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\imageformats\qico.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\zlibwapi.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_native.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\PrintData C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent\1084 C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Qt5Positioning.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\FtTemp C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\SCDT C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Qt\labs\platform\qmldir C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocular\Deploy C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\dgpver.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\systecv3.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Program Files (x86)\Common Files\System\systecv3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bakCertList.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File created C:\Windows\bakstec3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\LInstSvr.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakrdlv3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakwdgv3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakwdgv364.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File created C:\Windows\bakoav3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakrdgv3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Windows\SysWOW64\winrdlv3.exe N/A
File opened for modification C:\Windows\win.ini C:\Windows\SysWOW64\winrdlv3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+ C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+ C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver C:\Windows\SysWOW64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\winrdlv3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471754687" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c29ac26e700000000000000000000000000000000000000000000000000000000000000000000000000000000000044444404732de640 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 44444404732de640 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65591" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000f2de30e5511500000000000000000000000000000000000000000000000000000000000000000000000000000000000044444404732de640 C:\Windows\SysWOW64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\winrdlv3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" C:\Windows\SysWOW64\winrdlv3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWOW64\winrdlv3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\winrdlv3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winrdlv3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3732 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3732 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1684 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3780 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3780 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1684 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 1684 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 1684 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 3836 wrote to memory of 1752 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 3836 wrote to memory of 1752 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 3836 wrote to memory of 1752 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1684 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 1684 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 1684 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 1752 wrote to memory of 1084 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1752 wrote to memory of 1084 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1752 wrote to memory of 1084 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1684 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1684 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1684 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 1084 wrote to memory of 1988 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 1084 wrote to memory of 1988 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 1084 wrote to memory of 1624 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 1084 wrote to memory of 1624 N/A C:\Windows\SysWOW64\winrdlv3.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Windows\SysWOW64\winrdlv3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe

"C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Program Files (x86)\Common Files\System\systecv3.exe

"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"

C:\Windows\SysWOW64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE

C:\Windows\SysWOW64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32

C:\Windows\SysWOW64\winrdlv3.exe

"C:\Windows\system32\winrdlv3.exe" SW_HIDE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s trmenushl64.dll

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /u trmenushl64.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
HK 206.238.197.191:8237 tcp
US 8.8.8.8:53 191.197.238.206.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy4F1B.tmp\nsProcess.dll

MD5 88d3e48d1c1a051c702d47046ade7b4c
SHA1 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA256 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA512 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

C:\Users\Admin\AppData\Local\Temp\nsy4F1B.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsy4F1B.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Program Files (x86)\Common Files\System\systecv3.exe

MD5 b9e0a7cbd7fdb4d179172dbdd453495a
SHA1 7f1b18a2bee7defa6db4900982fd3311aabed50d
SHA256 cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce
SHA512 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

C:\Windows\win.ini

MD5 c92f152bf334d2f075282a47811a4f0b
SHA1 b72210f515a7534b81fb6141ec1fce55a85fd912
SHA256 0d14a2fc3b0e1877869b8fa8fa0709d426cea00ba2a5b4bd39e275afb7dad8db
SHA512 b3a976a74cd0efb69270dd864a75a2569a4f0984eaa47937162f122a8c838d830d8fcf5ad3d16a4f950a870d58b35b89190d9cd30fc232d63bbeac0799f3037c

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

MD5 97ac3ef2e098c4cb7dd6ec1d14dc28f1
SHA1 3e78e87eefe45f8403e46d94713b6667aee6d9c9
SHA256 a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1
SHA512 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

C:\Windows\bakrdlv3.sys

MD5 0cbeb75d3090054817ea4df0773afe35
SHA1 58c543a84dc18e21d86ad2c011d8ac726867fb78
SHA256 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822
SHA512 f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

C:\Windows\SysWOW64\winwdgv3.dll

MD5 0aed8f70a00060f8005efa8d1c668b98
SHA1 c75fe3d1a2476da55f526d366f73bedbfd56f32a
SHA256 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671
SHA512 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

C:\Windows\system32\winwdgv364.dll

MD5 889482a07ba13fc6e194a63d275a850a
SHA1 16a164fded3352abb63722a5c74750cdc438f99a
SHA256 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0
SHA512 e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

C:\Windows\SysWOW64\winoav3.dll

MD5 3ae42cb8a028c5be3f57575342bbb56d
SHA1 2939396b9069d4b46febc047b13ce2c30de7e886
SHA256 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609
SHA512 f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

memory/1752-271-0x0000000001900000-0x000000000272C000-memory.dmp

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 1acb166750b21d9c394ccacfdaa718bc
SHA1 28232adfe22d1aa042ef4534e9a988375537afc9
SHA256 2526e939a30a437cfa4a2b546805f6fc4cc76fdeecf0a5281d1bd85eda78e7df
SHA512 8cbc831caa3d5291f37087c5f38dd917b7c8b6b3ccb3a54ed61292fd505fb1fba68bf8f73fb305cfd19fc6a9bac72ddcf09a1cff2c599bd523c129eb1fc015e1

C:\Windows\SysWOW64\Ocular\msodhash3.dat

MD5 cc6f29a25411edb2c70d8435f65d07e7
SHA1 979d233f6f28be82c13741656ade2267570b370f
SHA256 51181f1ca5c983ae43772423bfa3474a89f146ed2ac8bf9213fe892483382689
SHA512 0f60b4ce017e44b429821d3d6f613ed7b683effc5d38e80a28a042687702cea8febc843bd037af18442a84c77766adef2c8ca890bb42e830814f39e364e1fd59

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 7b3a1244f62a7b081f16d40b4431e999
SHA1 ce67398ac5f23581c7506971e5bd1da798e787e3
SHA256 492aa8726ba8f06e791be0fdd8c7014bbc12a2cf5f428d2f1aaff0c75ac7b4c9
SHA512 01bf399933c895e54c622a163345dec636bb25070341fb45165c4377c5540bbf6067fb4616fc91e5a62fd5a65738ba8bed915f7c3ba1becd09961166a5081343

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 b0ad710d556202e4e10ec85de251a05e
SHA1 e3ed531e03631b313586905696d41bd4614206b4
SHA256 cfbe90e8a34e2c62825dd2645a501b895df9b9df30742d818d9121b0e0d0cc1a
SHA512 b18fce2a1f162be627b5721e06db24262c5ffb10ea343cabf9da3577e0942dedac4d350f5f40d0f074e2fe7710744ab9f8c476e4f554eadffde7cb3ab7a0b43a

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 31e66fec0db16beab8587d7bb9c38cd3
SHA1 b513ea121a16a37cd790fda6f5525f7c7d2743fd
SHA256 c988049765cf91bb6d0858fa01f0aa68737bc442ebc0022dfd16199acc8c6533
SHA512 b1ea2e845cd11b7a01d28a046aaca345a20d393bbc8ad446d6051969ed00f85508c854a8989807f3ee487be76672b2d3abf2fcf2e0668c4b31e775db1966d2d0

C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat

MD5 802914edc8dec4d5414de5bb98601d40
SHA1 13fe97de7e7593781a472d95324303e34eab552b
SHA256 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947
SHA512 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat

MD5 cb8011b1b79f2a807d75bddd80ac6e0e
SHA1 130414054b8e1be7c7a153d7ba48edebeeedbc65
SHA256 cf0869f7602342ad3042ab84cf2de0b5adbd71b3316a062182c7a47c7671a630
SHA512 7cf22ffecbc743c35e5149ad8a404426dde094c0058479273d5a92b8a4bf3f840bd2f4b3f6074331e214d6e6e1d71837f1431c8f6685ae2ad22a68f70f991860

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 966a04a5791d4e38cceb84c0e2bc13c7
SHA1 46867a894d097d19d38ed6deef8428c20d18b382
SHA256 e3f20634c4a5cd0529ea200585020a4f454eadf5a1b0987b54dc4c21927b30af
SHA512 d5f879ae75e72b1b109a41bff994f7c246c2eaf44225738d593c461e892523e5bf7b695c0e8a24449ce07d4f651f925617cdedfd2c3b767be2d4559059912b47

C:\Windows\LInstSvr.exe

MD5 fb741fceeb80a76f7f0005a1ac60604a
SHA1 a6a8d97365634b266f0b5a001038a5a86b9ed2d6
SHA256 c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1
SHA512 8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780

C:\Windows\win.ini

MD5 e25d461a755183bbb769732ea712cf31
SHA1 0a3251c72e3d4765263bf3ff41a40d43d6eb51cf
SHA256 21856c17a98d852bda4530905f984a54af6d7cbe877ae4236cfc7311eb37effe
SHA512 da3ba088bd383d83c6b8ec8c63f1708cd5464656d9560971e3599f9191863ab87ee026686e351c64a5be2e9a0724fb8e6f436739662aa0d41a0eecba702b5698

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1272 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\settings\qmlsettingsplugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWow64\winrdlv3.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWow64\winrdlv3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWow64\winrdlv3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Qt5WebEngine.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1023.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1028.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSMatch C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular3Path\SCDT C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\crashreport.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1043.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Ocular\msodhash3.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\apk_icon.png C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\bakrdgv3.sys C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\Rtft C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_2_11_35_25_259407697_1_3_41 C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Qt5RemoteObjects.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\dgpver.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\Asset C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\imageformats\qicns.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass2.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Qt\labs\platform\qmldir C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw2_1008.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw2_1009.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1020.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1039.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1003.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1021.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\position\qtposition_positionpoll.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\kpdfconverter.kid C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp120.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWOW64\sdcenter.dll C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\WebEngineProcess.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\bugreport.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1010.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\msodhash3.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\zdefaultskin\zdefaultskin.ui C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\BroHistory C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular3Path\SCDT\SetupAppTemp C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\otherfile_icon.png C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1015.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\PrintData C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_2_11_35_25_259407713_3_3_6334 C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\360zip\360zip.ini C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\dt_2.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\qmltooling\qmldbg_profiler.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Ocular\msmailboxcalss.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\endata\aw_1042.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\Qt5WebChannel.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\SysWOW64\zipnew.dat C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\SysWow64\Ocular\Files C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\SysWOW64\Qt5Svg.dll C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\systecv3.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Program Files (x86)\Common Files\System\systecv3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bakrdgv3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakwdgv364.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakDWM.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakSCClient.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\bakoav3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakstec3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\bakwdgv3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakCertList.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\win.ini C:\Windows\SysWow64\winrdlv3.exe N/A
File created C:\Windows\bakrdlv3.sys C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File created C:\Windows\LInstSvr.exe C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
File opened for modification C:\Windows\bakCameraPack.dat C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
File opened for modification C:\Windows\bakTStartMenu.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakTKSPack.dat C:\Windows\SysWow64\winrdlv3.exe N/A
File opened for modification C:\Windows\bakThirdPartyLib.dat C:\Windows\SysWow64\winrdlv3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWow64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\SysWow64\winrdlv3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWow64\winrdlv3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWow64\winrdlv3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200051004d00300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000e25bc60b640200000000000000000000000000000000000000000000000000000000000000000000000000000000000044444404732de640 C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471754687" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID C:\Windows\SysWow64\winrdlv3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000c29ac26e700000000000000000000000000000000000000000000000000000000000000000000000000000000000044444404732de640 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65591" C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 44444404732de640 C:\Windows\SysWow64\winrdlv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 030000004400450053004b0054004f0050002d003500530037004b004b00470038000000 C:\Windows\SysWow64\winrdlv3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Common Files\System\winrdgv3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A
N/A N/A C:\Windows\SysWow64\winrdlv3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\System\systecv3.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWow64\winrdlv3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWow64\winrdlv3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2260 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2212 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2212 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2212 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2212 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\systecv3.exe
PID 2212 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2212 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2212 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2212 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Program Files (x86)\Common Files\System\winrdgv3.exe
PID 2212 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2212 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2212 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2212 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe C:\Windows\SysWOW64\winrdlv3.exe
PID 2140 wrote to memory of 1328 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2140 wrote to memory of 1328 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2140 wrote to memory of 1328 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2140 wrote to memory of 1328 N/A C:\Program Files (x86)\Common Files\System\winrdgv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 1328 wrote to memory of 2016 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 1328 wrote to memory of 2016 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 1328 wrote to memory of 2016 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 1328 wrote to memory of 2016 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\SysWow64\winrdlv3.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 2228 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe
PID 2016 wrote to memory of 1972 N/A C:\Windows\SysWow64\winrdlv3.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Windows\SysWow64\winrdlv3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe

"C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"

C:\Program Files (x86)\Common Files\System\systecv3.exe

"C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"

C:\Program Files (x86)\Common Files\System\winrdgv3.exe

"C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE

C:\Windows\SysWOW64\winrdlv3.exe

"C:\Windows\system32\winrdlv3.exe" SW_HIDE

C:\Windows\SysWow64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32

C:\Windows\SysWow64\winrdlv3.exe

C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s trmenushl64.dll

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /u trmenushl64.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
HK 206.238.197.191:8237 tcp
HK 206.238.197.191:8237 tcp

Files

\Users\Admin\AppData\Local\Temp\nst209C.tmp\nsProcess.dll

MD5 88d3e48d1c1a051c702d47046ade7b4c
SHA1 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA256 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA512 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

\Users\Admin\AppData\Local\Temp\nst209C.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nst209C.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Program Files (x86)\Common Files\System\systecv3.exe

MD5 b9e0a7cbd7fdb4d179172dbdd453495a
SHA1 7f1b18a2bee7defa6db4900982fd3311aabed50d
SHA256 cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce
SHA512 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

C:\Windows\win.ini

MD5 c92f152bf334d2f075282a47811a4f0b
SHA1 b72210f515a7534b81fb6141ec1fce55a85fd912
SHA256 0d14a2fc3b0e1877869b8fa8fa0709d426cea00ba2a5b4bd39e275afb7dad8db
SHA512 b3a976a74cd0efb69270dd864a75a2569a4f0984eaa47937162f122a8c838d830d8fcf5ad3d16a4f950a870d58b35b89190d9cd30fc232d63bbeac0799f3037c

C:\Windows\bakrdgv3.sys

MD5 97ac3ef2e098c4cb7dd6ec1d14dc28f1
SHA1 3e78e87eefe45f8403e46d94713b6667aee6d9c9
SHA256 a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1
SHA512 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

C:\Windows\bakrdlv3.sys

MD5 0cbeb75d3090054817ea4df0773afe35
SHA1 58c543a84dc18e21d86ad2c011d8ac726867fb78
SHA256 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822
SHA512 f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

C:\Windows\bakwdgv3.sys

MD5 0aed8f70a00060f8005efa8d1c668b98
SHA1 c75fe3d1a2476da55f526d366f73bedbfd56f32a
SHA256 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671
SHA512 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

C:\Windows\system32\winwdgv364.dll

MD5 889482a07ba13fc6e194a63d275a850a
SHA1 16a164fded3352abb63722a5c74750cdc438f99a
SHA256 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0
SHA512 e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

C:\Windows\SysWow64\winoav3.dll

MD5 3ae42cb8a028c5be3f57575342bbb56d
SHA1 2939396b9069d4b46febc047b13ce2c30de7e886
SHA256 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609
SHA512 f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

memory/1328-259-0x0000000002EE0000-0x0000000003D0C000-memory.dmp

C:\Windows\SysWow64\Ocular\OAgent.ini

MD5 1acb166750b21d9c394ccacfdaa718bc
SHA1 28232adfe22d1aa042ef4534e9a988375537afc9
SHA256 2526e939a30a437cfa4a2b546805f6fc4cc76fdeecf0a5281d1bd85eda78e7df
SHA512 8cbc831caa3d5291f37087c5f38dd917b7c8b6b3ccb3a54ed61292fd505fb1fba68bf8f73fb305cfd19fc6a9bac72ddcf09a1cff2c599bd523c129eb1fc015e1

C:\Windows\SysWow64\Ocular\msodhash3.dat

MD5 cc6f29a25411edb2c70d8435f65d07e7
SHA1 979d233f6f28be82c13741656ade2267570b370f
SHA256 51181f1ca5c983ae43772423bfa3474a89f146ed2ac8bf9213fe892483382689
SHA512 0f60b4ce017e44b429821d3d6f613ed7b683effc5d38e80a28a042687702cea8febc843bd037af18442a84c77766adef2c8ca890bb42e830814f39e364e1fd59

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 3b5cfa0dee5399ed374e7ea190e17702
SHA1 c284ca1a80cb29751dfa22b8394639cee60fdf20
SHA256 174611360f12c80bed1541c08df888b51fb8b432b7d40a53bee3bcce2f54a4b4
SHA512 32225ab627b31ab06a9171cc01b34b12f2060a51f8e02b31f808f37d8c037c1b58769054dbb3af57e2f5bdd9388240bee63cbc018611894f39feb187d85b018a

C:\Windows\SysWow64\Ocular\OPolicy.ini

MD5 b0ad710d556202e4e10ec85de251a05e
SHA1 e3ed531e03631b313586905696d41bd4614206b4
SHA256 cfbe90e8a34e2c62825dd2645a501b895df9b9df30742d818d9121b0e0d0cc1a
SHA512 b18fce2a1f162be627b5721e06db24262c5ffb10ea343cabf9da3577e0942dedac4d350f5f40d0f074e2fe7710744ab9f8c476e4f554eadffde7cb3ab7a0b43a

C:\Windows\SysWOW64\Ocular\OPolicy.ini

MD5 8d2ff4e0abf08dcff293f9fc9b67a4d3
SHA1 ed409486dd176c8598a45c28f0fecb7f0645c88a
SHA256 0a71f0600dd213e41a456f02dfc2f363166c557469d7cf1492351b71fdb6c45c
SHA512 65b25e7f6c7073ce20ac8af3a8e7361961304e9ac94173d821362e51ca4382a434cd1e1304a98680d7c5f8504cfe83a475ae3ed1138a56a756aa8f88031d598b

C:\Windows\SysWow64\Ocular\msmidtierserverclass3.dat

MD5 802914edc8dec4d5414de5bb98601d40
SHA1 13fe97de7e7593781a472d95324303e34eab552b
SHA256 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947
SHA512 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat

MD5 cb8011b1b79f2a807d75bddd80ac6e0e
SHA1 130414054b8e1be7c7a153d7ba48edebeeedbc65
SHA256 cf0869f7602342ad3042ab84cf2de0b5adbd71b3316a062182c7a47c7671a630
SHA512 7cf22ffecbc743c35e5149ad8a404426dde094c0058479273d5a92b8a4bf3f840bd2f4b3f6074331e214d6e6e1d71837f1431c8f6685ae2ad22a68f70f991860

C:\Windows\SysWOW64\Ocular\OAgent.ini

MD5 e620702190c9a304112c41e36b43d6b6
SHA1 38ef2495f468644b2d9588fc0fe9408b23415a89
SHA256 56d61b6ae0291a229597d9ac8c964856224de373ec0ae5f9cef2b8b81f893881
SHA512 b9fceabe45db2a1eb0764c408d26a4f1546021b78682dace9c10a1ec4012a41d02b59c46cfd6b92fd8bd8a3a3407fa5db829db146029f309cf5a350f48c4b1eb

C:\Windows\LInstSvr.exe

MD5 fb741fceeb80a76f7f0005a1ac60604a
SHA1 a6a8d97365634b266f0b5a001038a5a86b9ed2d6
SHA256 c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1
SHA512 8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780

C:\Windows\win.ini

MD5 6345a57c6cd75d726a838a14ca43ca5b
SHA1 ceeef4a9fbb3ff05c234440c7a655fa9b4222ff3
SHA256 9316406e880835dda9d7a650b28e8d8d687c59cd0f53a9e733e59fe0415e6430
SHA512 5a165c5aab02791ab922bc54f1ccadac47e1b58aa2c366cc62e7afa99527d3e86f31d8e2f8cafdc39a29aa8547ce04ef50eda362d03c5ee8fbda4b44c94edfd9

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4588 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4588 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5RemoteObjects.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5SerialPort.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipver.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\360zip\360zipw.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2468 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QmlWorkerScript.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240215-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Qt5QuickControls2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 11:34

Reported

2024-06-02 11:37

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 220

Network

N/A

Files

N/A