Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
Resource
win10v2004-20240508-en
General
-
Target
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
-
Size
10.5MB
-
MD5
5bea316bb103be1a4a09fcb057fd975e
-
SHA1
dd9f0b813957d79d75db79f21038e111353b8f8d
-
SHA256
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6
-
SHA512
73e2cfb88e0afd939a383b801779d1a78c09173e5046d0401086cfd37def08efc223a732898a0b624d3b6e732c9d11ce297b9f35a64dfcfe98f006c52da4d9c5
-
SSDEEP
196608:Sw0ZF1Duj95x4pxeseI/f3DpakQ4O1j7sQarVQnzFU/7qRjbWBJ:1UbuJ5x4feYoRRNaqS/7qRjbWX
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
AKernel3.exesystecv3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exepid process 2908 AKernel3.exe 2516 systecv3.exe 1088 winrdgv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe -
Loads dropped DLL 9 IoCs
Processes:
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exeAKernel3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exepid process 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe 2908 AKernel3.exe 2908 AKernel3.exe 1088 winrdgv3.exe 1088 winrdgv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winrdlv3.exedescription ioc process File opened (read-only) \??\X: winrdlv3.exe File opened (read-only) \??\Y: winrdlv3.exe File opened (read-only) \??\M: winrdlv3.exe File opened (read-only) \??\P: winrdlv3.exe File opened (read-only) \??\Q: winrdlv3.exe File opened (read-only) \??\V: winrdlv3.exe File opened (read-only) \??\K: winrdlv3.exe File opened (read-only) \??\S: winrdlv3.exe File opened (read-only) \??\H: winrdlv3.exe File opened (read-only) \??\L: winrdlv3.exe File opened (read-only) \??\U: winrdlv3.exe File opened (read-only) \??\B: winrdlv3.exe File opened (read-only) \??\G: winrdlv3.exe File opened (read-only) \??\I: winrdlv3.exe File opened (read-only) \??\Z: winrdlv3.exe File opened (read-only) \??\D: winrdlv3.exe File opened (read-only) \??\F: winrdlv3.exe File opened (read-only) \??\O: winrdlv3.exe File opened (read-only) \??\R: winrdlv3.exe File opened (read-only) \??\J: winrdlv3.exe File opened (read-only) \??\N: winrdlv3.exe File opened (read-only) \??\T: winrdlv3.exe File opened (read-only) \??\A: winrdlv3.exe File opened (read-only) \??\E: winrdlv3.exe File opened (read-only) \??\W: winrdlv3.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
winrdlv3.exedescription ioc process File opened for modification \??\PhysicalDrive0 winrdlv3.exe -
Drops file in System32 directory 64 IoCs
Processes:
winrdlv3.exewinrdgv3.exesystecv3.exedescription ioc process File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_18_259414514_5_3_6334 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\agentupd.oau.tmp winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Deploy winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Data winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\ExData winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\AgentTask winrdlv3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 winrdgv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_14_259410630_1_3_41 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular systecv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msmidtierserverclass_cache3.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\OAgentTray winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular3Path\SCDT\SetupAppTemp winrdlv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_1_3_41 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular3Path systecv3.exe File opened for modification C:\Windows\SysWow64\Ocular\TSafeDoc winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\SurvData winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Policy winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\OPolicy.ini winrdlv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_20_259416558_7_3_26500 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\SCDT\DocLog winrdlv3.exe File opened for modification C:\Windows\SysWOW64\sdcenter.dll winrdlv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_2_3_18467 winrdlv3.exe File created C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat winrdlv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_4_3_26500 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msusersystemservercfgclass_cache2.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 winrdgv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Files winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Rtft winrdlv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_3_3_6334 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Screen winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msusersystemservercfgclass2.dat winrdlv3.exe File created C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_16_259412580_3_3_18467 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msmailboxidentify_cache.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msusersystemservercfgclass.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 winrdgv3.exe File opened for modification C:\Windows\SysWow64\Ocular\OAgent.ini winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\PrintData winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\TKS winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\WinPatch winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Download winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular3Path\SCDT winrdlv3.exe File created C:\Windows\SysWow64\Ocular\msusersystemservercfgclass_cache2.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 winrdgv3.exe File created C:\Windows\SysWow64\Ocular\msoapphash5.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Mails winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Temp winrdlv3.exe File created C:\Windows\SysWow64\bakrdgv3.sys systecv3.exe File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSMatch winrdlv3.exe File created C:\Windows\SysWow64\bakstec3.sys systecv3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 winrdgv3.exe File created C:\Windows\SysWow64\Ocular\msmidtierserverclass_cache3.dat winrdlv3.exe File created C:\Windows\SysWow64\Ocular\msusersystemservercfgclass.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msmailboxcalss_cache.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\OBtEmulator winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\SCDT winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent\1040 winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\BroHistory winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msodhash3.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\Asset winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msoapphash5.dat winrdlv3.exe File opened for modification C:\Windows\SysWow64\Ocular\msagentclass.dat winrdlv3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 winrdgv3.exe -
Drops file in Program Files directory 1 IoCs
Processes:
systecv3.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\System\winrdgv3.exe systecv3.exe -
Drops file in Windows directory 18 IoCs
Processes:
wusa.exesystecv3.exewinrdlv3.exewinrdlv3.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\bakDWM.dat systecv3.exe File opened for modification C:\Windows\bakCertList.dat systecv3.exe File opened for modification C:\Windows\bakDWM.dat winrdlv3.exe File opened for modification C:\Windows\bakCertList.dat winrdlv3.exe File opened for modification C:\Windows\win.ini winrdlv3.exe File opened for modification C:\Windows\bakSCClient.dat systecv3.exe File opened for modification C:\Windows\bakTKSPack.dat systecv3.exe File opened for modification C:\Windows\bakTKSPack.dat winrdlv3.exe File opened for modification C:\Windows\bakTStartMenu.dat systecv3.exe File opened for modification C:\Windows\bakThirdPartyLib.dat winrdlv3.exe File opened for modification C:\Windows\Logs\DPX\setupact.log wusa.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log wusa.exe File opened for modification C:\Windows\bakCameraPack.dat systecv3.exe File opened for modification C:\Windows\bakThirdPartyLib.dat systecv3.exe File opened for modification C:\Windows\bakSCClient.dat winrdlv3.exe File opened for modification C:\Windows\bakTStartMenu.dat winrdlv3.exe File opened for modification C:\Windows\bakCameraPack.dat winrdlv3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
winrdlv3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI winrdlv3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI winrdlv3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI winrdlv3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK winrdlv3.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
winrdgv3.exewinrdlv3.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winrdgv3.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates winrdlv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winrdgv3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winrdgv3.exe -
Modifies registry class 24 IoCs
Processes:
winrdlv3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node winrdlv3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "0" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "0" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "2589671583" winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000000000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ce8752b9590600000000000000000000000000000000000000000000000000000000000000000000000000000000000024f61d5b7432e640 winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID winrdlv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 24f61d5b7432e640 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 winrdlv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 010000004400410044005900200048004100520044004400490053004b0044004400300030003000310033000000 winrdlv3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65627" winrdlv3.exe -
Processes:
winrdgv3.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 winrdgv3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 winrdgv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 winrdgv3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 winrdgv3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winrdlv3.exewinrdlv3.exepid process 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe 1476 winrdlv3.exe 1476 winrdlv3.exe 1040 winrdlv3.exe 1040 winrdlv3.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 476 476 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
systecv3.exewinrdlv3.exedescription pid process Token: SeDebugPrivilege 2516 systecv3.exe Token: SeTcbPrivilege 1040 winrdlv3.exe Token: SeDebugPrivilege 1040 winrdlv3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exeAKernel3.exepid process 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe 2908 AKernel3.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exeAKernel3.exesystecv3.exewinrdgv3.exewinrdlv3.exewinrdlv3.exedescription pid process target process PID 1736 wrote to memory of 2908 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 1736 wrote to memory of 2908 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 1736 wrote to memory of 2908 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 1736 wrote to memory of 2908 1736 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe AKernel3.exe PID 2908 wrote to memory of 2516 2908 AKernel3.exe systecv3.exe PID 2908 wrote to memory of 2516 2908 AKernel3.exe systecv3.exe PID 2908 wrote to memory of 2516 2908 AKernel3.exe systecv3.exe PID 2908 wrote to memory of 2516 2908 AKernel3.exe systecv3.exe PID 2516 wrote to memory of 1580 2516 systecv3.exe wusa.exe PID 2516 wrote to memory of 1580 2516 systecv3.exe wusa.exe PID 2516 wrote to memory of 1580 2516 systecv3.exe wusa.exe PID 2516 wrote to memory of 1580 2516 systecv3.exe wusa.exe PID 1088 wrote to memory of 1476 1088 winrdgv3.exe winrdlv3.exe PID 1088 wrote to memory of 1476 1088 winrdgv3.exe winrdlv3.exe PID 1088 wrote to memory of 1476 1088 winrdgv3.exe winrdlv3.exe PID 1088 wrote to memory of 1476 1088 winrdgv3.exe winrdlv3.exe PID 1476 wrote to memory of 1040 1476 winrdlv3.exe winrdlv3.exe PID 1476 wrote to memory of 1040 1476 winrdlv3.exe winrdlv3.exe PID 1476 wrote to memory of 1040 1476 winrdlv3.exe winrdlv3.exe PID 1476 wrote to memory of 1040 1476 winrdlv3.exe winrdlv3.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe PID 1040 wrote to memory of 1712 1040 winrdlv3.exe regsvr32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
winrdlv3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" winrdlv3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe"C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe-Unpack-logDir"C:\Users\Admin\AppData\Local\Temp\AgentInstall"-v"4.0.0.13"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Program Files (x86)\Common Files\system\systecv3.exe"C:\Program Files (x86)\Common Files\system\systecv3.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe C:\Windows\system32\Windows6.1-KB3033929-x64.msu /quiet /norestart4⤵
- Drops file in Windows directory
PID:1580
-
C:\Program Files (x86)\Common Files\System\winrdgv3.exe"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWow64\winrdlv3.exeC:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor322⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWow64\winrdlv3.exeC:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent323⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1040 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s trmenushl64.dll4⤵PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD51630b69bfc6c00695c3dccb605f98254
SHA119176bba591c452cc417ce59349f370c5be816cd
SHA2562ca39bfc3e928b0c36b3d57cf9768f0dcd6283ab3177c981bbd12b605f129c46
SHA512cad9169ca2d377c3de59dc5253ff6fb62eaccb4d48958be0ed7911210eeb73712befcd1df4450cdf3872bc8c2631745134ef3b56d5ea956724ec5e7fedb04921
-
Filesize
8.2MB
MD5674e3c701589408cf61a992619e31a6b
SHA19586bac628f9aecc09ea07cb64d6bfe6274d4f70
SHA2560d712cf727b443ff2d83f92940d7500f5fd133257f167fae4ae03c40b5a14656
SHA512af623d5e5ab13c315586084301013e1bbeb3ba0a45378de849cf5523eb468c95f88704e00081c65d06b638c162c91ce6bb15ab9084d90cf0d90abd34fab86039
-
Filesize
2.3MB
MD5b9e0a7cbd7fdb4d179172dbdd453495a
SHA17f1b18a2bee7defa6db4900982fd3311aabed50d
SHA256cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce
SHA512720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c
-
Filesize
1.7MB
MD597ac3ef2e098c4cb7dd6ec1d14dc28f1
SHA13e78e87eefe45f8403e46d94713b6667aee6d9c9
SHA256a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1
SHA512693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd
-
Filesize
2.1MB
MD50aed8f70a00060f8005efa8d1c668b98
SHA1c75fe3d1a2476da55f526d366f73bedbfd56f32a
SHA256326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671
SHA512738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787
-
Filesize
13.7MB
MD53ae42cb8a028c5be3f57575342bbb56d
SHA12939396b9069d4b46febc047b13ce2c30de7e886
SHA2560e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609
SHA512f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24
-
Filesize
57KB
MD50cbeb75d3090054817ea4df0773afe35
SHA158c543a84dc18e21d86ad2c011d8ac726867fb78
SHA256453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822
SHA512f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c
-
Filesize
1.3MB
MD5889482a07ba13fc6e194a63d275a850a
SHA116a164fded3352abb63722a5c74750cdc438f99a
SHA256799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0
SHA512e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a
-
Filesize
413KB
MD5fb741fceeb80a76f7f0005a1ac60604a
SHA1a6a8d97365634b266f0b5a001038a5a86b9ed2d6
SHA256c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1
SHA5128e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780
-
Filesize
694B
MD52b436f31fa2d70ec9015c354492b8eaf
SHA1cb82c223e44c4ffaa8b6e4c4dc8cd9b17c1edf24
SHA25686629d5d52f18489005c711d3068cc9cb9f49bd326b1bcd5c405fc2b0efccfa7
SHA512866077d7e79f6cc023a989d4c8312d0b2df93dab94e5f0c700f95b24e515d7faf4290f209ec0cc5fbeeb1bdec89dadb096589d8d2632ba02340372b87fe3ce63
-
Filesize
120B
MD5f52c682f56480f716f67ee8a2108ab21
SHA17841bb9e117fe479a6ed213e2f3e0aad6624d7a3
SHA25636a2df783f33b4ee2fbe63b9708b678b21563793209938e70241083ac590c07a
SHA5120c08bb9502c9757b53f06c9a02e5b31420e0a1bd8934cb6f963e7a169b7f1428dd73e0576fc7cf548b1df1ae4aa6a25147cfc15ee43a92656eb45350b2306439
-
Filesize
2KB
MD590b447870feadf5e50d43ca3fb21f4dc
SHA110738e75635b4932d52b36ee00f1f67dc2b1a4a7
SHA2568280932b6286f493ddf3e8a30369be5559c4a435092247e48912e7167a1cc3a3
SHA512e04ee6a223eebac67ac8109fc45ff14437cacfa51c29f440b666c66b741741e2c264a605f5a601a91643967a13a0175d0dbb50881be10c6d83f7323e5769cf30
-
Filesize
4KB
MD525a1417a6e0b0a9cbe6f5926d5c34df3
SHA18e6a38958cba7f1f1e52966b5bf8547efad04e18
SHA2567c7033683d461378f93f9dce9a5f5f7e3dd7e5b8a3e9269602acd7a63ef51cbe
SHA5127a398556e550780db29dcfcc2b8a3239cb293fb891247bc1d94356193ddf8ecddc01736d47e44953f2f8549564bae20c1afb752e31ca4da711a5ed75a92b0845
-
Filesize
4KB
MD520df091865173e0f9e9a80efc6326ab2
SHA178bc403371f95418b50897659445d01e557effcb
SHA2568cd8f41d64c73abdc3042940b8ff0d7d0e036a67c4f0dfe30bec553f09cc1b7d
SHA5122eabbc188e8eb4da26d28d6b4abeed07f9a2880fb4d67af29ad59dd37eab01fdb3c6000497a07ce19284f7ef03a0647b86c464dc16efa84762d6d0ae521ceb60
-
Filesize
5KB
MD5b3c82c527df0423a1c0e96ddb3923d99
SHA11edb3c0c93ff21f9c20592e5b20473e5461a5700
SHA25661521f852ca1726cfd18c12ec88f3857f9fd03cdf046b8116d8df00a874ab88f
SHA512919db171a6766f388a7ff11b325c3d26ed9f8ecc1e25d089a5807c29f9b75b7909635c10b18edceed4967d5f2c12ad7d813f8574dda0e2e554ad91bc82aa64e4
-
Filesize
6KB
MD51867426430a638096e1c00a767b2e3b8
SHA1ecb0aa16ed5781124a054ae014e937b1d15009a5
SHA256ac5a63688f08bf73086f662f10caf2fe8ed454d440264817bee2e6a3592c3e5d
SHA512bdb81aee223794d02a830c426c2df1f7b317c182e465ae90053ba300353357516f23f2553858458980ff51a26ced80753702e06523f89a90dd03f06ca44a5e30
-
Filesize
6KB
MD59599bf033070b0cd403ea0b9866a715c
SHA15df463a0071f8686004af950cb9f646dbdcd1a44
SHA25611e40464af49c92f88f5ffe9dc91e17f01ae2e69b03328aa1d11f3e3549ae385
SHA5128ce81fa42bd3f73aeb2aa93b17e383269f116063627b0e02e8fb64f6552ae34367726f723832bc52d0de7bf224d4f56c63a8d081ce71c15f503f08a78c20e541
-
Filesize
6KB
MD54559a4e5e72758c2143ea2df4fef2d80
SHA1de19263f65c84116303455e1b6f7f17a5804106a
SHA256539d957148a2d2eb2c6324ddd72b5115565ad2fb4277ff0770a47710034aeb49
SHA5127878aac7567d85ae90502dcc08a68079ea066217c17ba3f1dbf4e5a2bce29b90f8e5868dfee630d50ced0a829cca7547a815272bf4fdeeb3dd8cb9b5f4d6f8ec
-
Filesize
7KB
MD5d507eb5245005c37131dd7a28a1d13b8
SHA15320122b571fa6fd6765240d5b8a2a321207248d
SHA25698ee8ec9cf4c9d6b630019a4fc5362eb4ca1da0eb9fb0a748f1e75e5d421ee01
SHA5127e3ab504f742e8a1074cd91569f3ffed29214581d5feb47d38174899040b661796e9bf640e0bdb9a880782b1ee67329ad963da33dff31e364d51bd371e529c82
-
Filesize
7KB
MD51e384a01a121a76b17c8ca2ead8c6341
SHA16e5aa86c980014bb43c5f57faf912a3269092759
SHA2569d35fa038c9cf67cd7ab8307c82b5176c8b1dd8e2963d4e1e8903613a1fd6fe1
SHA5125477298a3664fa67e208abe7d0a0f57319de3c707905e8a1a5f270a2e7e2b2320a4e347418e8e8a9b10fcf35c1ea73b17c7f2a08a18c54f25a02e0dfc2c818d0
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
3KB
MD5ec0580e0ce62c404d1e7f9054733b880
SHA18891b974c18fad0c1d85b4cf1044e0fc2bbfe557
SHA256f03a3b886b7fdca962205c9b8b9cb4be3bbf3b0954798c37b685bb2736eb4649
SHA5125c835f02d52bf2a81619fe52d24ab811408c976d57c4d17d1af4ab32aca3ab8e363831b55f5c976b9c8109cc41e94b73e92eb959cff1dbd4a2804067ff9db381
-
Filesize
7KB
MD5f76ce1e6823ef205078147113d610b0a
SHA12bf26470ae2b2f0e677cd2655c2953ec420f3301
SHA25618417c20d1e8fe2a0d7d492f82d3edf83a14863186463477c0cdcf0e43dac7a2
SHA512974e958ed96397bbe6fb2d7fed7245d86fb7334230d7730e648192b49712bfcab90b75f081b5bf25ab9f4149e3da431ebca91125a5cfa8806c41f9bb4796b12d
-
Filesize
132B
MD5802914edc8dec4d5414de5bb98601d40
SHA113fe97de7e7593781a472d95324303e34eab552b
SHA25601b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947
SHA51264486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf
-
Filesize
40B
MD5b4c5a731de7aafc9a8dece224e0db819
SHA1190077d8d59260ec8362b8ef35c6b697dc8ed400
SHA256c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37
SHA512120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98
-
Filesize
946B
MD5aae430e4fd437114efcbe85fb759f074
SHA176fd87a466175652859f7f3925c03d6f7ccaaa47
SHA25694f4e0b0d3ede5c26a9fa8a0b80fa21222b4f11657c62fe0c84a8450033e7ddc
SHA51236366e0ee89812c3b05f51fdd62f4cd974981ec400cc29730be4d4b756903ca528ef4007c87a1aae5ed59549703fb6fcc55c49557d68f13934663716a6e38e87
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD5a3bb7ddbd7fbb8e33c8589919ad52c71
SHA1f97979f34910d71d5133db673ad29bb00ce5a72a
SHA256a1d6675ac45a923d7308f5257fb84509fbcf568bd123aa6ddabcd9064c40c176
SHA512f957819e15eca95b28c47503c2eae5e15019a2f6ae2814a62b556c1a0c1c088e9cb857f7b71b6531536714840fe63d6241b4f12b17bcfdf4f6ab38d77a5b7147
-
Filesize
1KB
MD5b9bec6f833970568963c0377c05f6bab
SHA1231066cb69c228e6980971c2561c0601271ce8dd
SHA256e37ac4796f76d64b9bfecbff5d9ebb8edf504d86f0892af76945a6d9ed1b1128
SHA5126b40a072722265e40b6c96c96811c85c54d323b61a9c5832b6fd526998c267cd5ccf1133d31b15e20cccaae0c36238e51039bc0b2d28429faf57bb4a22cbe70c
-
Filesize
1KB
MD5f57dbdf50e2357f9aa894ba24556b069
SHA172fdbb80cb4c7a4e50b483c53830fdecdcdb8da0
SHA256358a8b345d81928e388a0116e47681cccf9b52624be6256216c8516bb70ca1a8
SHA512e0182f6e068391dbc6df62d5f56e5d2c518a4eefe62590a0566e40337624c434631c5759eeef6503f316fcd12fc636423a9c2de4a3d62db12dd40fbd92027411
-
Filesize
1KB
MD5b4b95645ee9b61f842f57bc4c31c2ee1
SHA19dda020d7c8948b33b28fb26792dccc5a3bda266
SHA2568ec701a6ae0549a01ede23588db3565a77cf356be5c27fdef2912183706e1fb6
SHA51251a2097078f55f3ce963a4cd28b4ec6f3bdff28495a5d9eea31525d8a6e5a134b9a6c71df819cd35d363136935dbb37cf5dc9133731b0ecd88072e1594f48940
-
Filesize
1KB
MD5f54a76b80df4384e57f36047f930dca0
SHA1f6fb93a209ecc9d8dc1a1cc5f63424de12b57eba
SHA256422904914f49a9871d6164c28de57786dffdd08937bfe7ac91406a04e70649e5
SHA512fcdad89434c0d617faf65cd5aa5e7a439f754bf0413a742e6195dfbd6a750c56a10fc54c8c616ab2abcab135efcfbf201ed1c632fde44fc0cc2c48782ce2dc05
-
Filesize
1.7MB
MD5a5200101cac307b258171be1029c846b
SHA1d0eabc33191065b17589b6290c6e3a103cfb880b
SHA2565f93e8c94746a7729e3e7a93b8436a7d3a6f15123f80ac5ec8b2848b28c42071
SHA512245c893b579769b6456a9684e8dcf41b96832548949d112ea8261b93c9e8f7d1d74b366aa34ca86a5c0fd58e89a43d7ad894565d217cb34c9d73f8fa26bb084f