Analysis Overview
SHA256
5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6
Threat Level: Shows suspicious behavior
The file 5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Checks SCSI registry key(s)
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 15:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 15:15
Reported
2024-06-16 15:18
Platform
win7-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_18_259414514_5_3_6334 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\agentupd.oau.tmp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Deploy | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Data | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\ExData | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\AgentTask | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_14_259410630_1_3_41 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msmidtierserverclass_cache3.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OAgentTray | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular3Path\SCDT\SetupAppTemp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_1_3_41 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular3Path | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TSafeDoc | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\SurvData | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Policy | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OPolicy.ini | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_20_259416558_7_3_26500 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\SCDT\DocLog | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sdcenter.dll | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_2_3_18467 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_4_3_26500 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass_cache2.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Files | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Rtft | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_8_259405108_3_3_6334 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Screen | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass2.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_16_15_16_16_259412580_3_3_18467 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msmailboxidentify_cache.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OAgent.ini | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\PrintData | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\WinPatch | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Download | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular3Path\SCDT | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass_cache2.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msoapphash5.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Mails | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Temp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\bakrdgv3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSMatch | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\bakstec3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msmidtierserverclass_cache3.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msmailboxcalss_cache.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSTemp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OBtEmulator | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\SCDT | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent\1040 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\BroHistory | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msodhash3.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Asset | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msoapphash5.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msagentclass.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\win.ini | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "0" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "0" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "2589671583" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000000000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ce8752b9590600000000000000000000000000000000000000000000000000000000000000000000000000000000000024f61d5b7432e640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 24f61d5b7432e640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 010000004400410044005900200048004100520044004400490053004b0044004400300030003000310033000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "65627" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
"C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe"
C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe
-Unpack-logDir"C:\Users\Admin\AppData\Local\Temp\AgentInstall"-v"4.0.0.13"
C:\Program Files (x86)\Common Files\system\systecv3.exe
"C:\Program Files (x86)\Common Files\system\systecv3.exe"
C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe C:\Windows\system32\Windows6.1-KB3033929-x64.msu /quiet /norestart
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| HK | 154.91.64.159:8237 | tcp |
Files
\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe
| MD5 | a5200101cac307b258171be1029c846b |
| SHA1 | d0eabc33191065b17589b6290c6e3a103cfb880b |
| SHA256 | 5f93e8c94746a7729e3e7a93b8436a7d3a6f15123f80ac5ec8b2848b28c42071 |
| SHA512 | 245c893b579769b6456a9684e8dcf41b96832548949d112ea8261b93c9e8f7d1d74b366aa34ca86a5c0fd58e89a43d7ad894565d217cb34c9d73f8fa26bb084f |
C:\Users\Admin\AppData\Local\Temp\AgentInstall\Installation.log
| MD5 | 2b436f31fa2d70ec9015c354492b8eaf |
| SHA1 | cb82c223e44c4ffaa8b6e4c4dc8cd9b17c1edf24 |
| SHA256 | 86629d5d52f18489005c711d3068cc9cb9f49bd326b1bcd5c405fc2b0efccfa7 |
| SHA512 | 866077d7e79f6cc023a989d4c8312d0b2df93dab94e5f0c700f95b24e515d7faf4290f209ec0cc5fbeeb1bdec89dadb096589d8d2632ba02340372b87fe3ce63 |
C:\ProgramData\IPGASKERNEL20240616151600\SetupData.dat
| MD5 | 674e3c701589408cf61a992619e31a6b |
| SHA1 | 9586bac628f9aecc09ea07cb64d6bfe6274d4f70 |
| SHA256 | 0d712cf727b443ff2d83f92940d7500f5fd133257f167fae4ae03c40b5a14656 |
| SHA512 | af623d5e5ab13c315586084301013e1bbeb3ba0a45378de849cf5523eb468c95f88704e00081c65d06b638c162c91ce6bb15ab9084d90cf0d90abd34fab86039 |
C:\ProgramData\IPGASZIP20240616151600\file002.tmp
| MD5 | 0aed8f70a00060f8005efa8d1c668b98 |
| SHA1 | c75fe3d1a2476da55f526d366f73bedbfd56f32a |
| SHA256 | 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671 |
| SHA512 | 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787 |
C:\ProgramData\IPGASZIP20240616151600\file003.tmp
| MD5 | 3ae42cb8a028c5be3f57575342bbb56d |
| SHA1 | 2939396b9069d4b46febc047b13ce2c30de7e886 |
| SHA256 | 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609 |
| SHA512 | f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24 |
C:\ProgramData\IPGASZIP20240616151600\file004.tmp
| MD5 | 0cbeb75d3090054817ea4df0773afe35 |
| SHA1 | 58c543a84dc18e21d86ad2c011d8ac726867fb78 |
| SHA256 | 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822 |
| SHA512 | f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c |
C:\ProgramData\IPGASZIP20240616151600\file005.tmp
| MD5 | 889482a07ba13fc6e194a63d275a850a |
| SHA1 | 16a164fded3352abb63722a5c74750cdc438f99a |
| SHA256 | 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0 |
| SHA512 | e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a |
C:\ProgramData\IPGASZIP20240616151600\file006.tmp
| MD5 | fb741fceeb80a76f7f0005a1ac60604a |
| SHA1 | a6a8d97365634b266f0b5a001038a5a86b9ed2d6 |
| SHA256 | c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1 |
| SHA512 | 8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780 |
C:\ProgramData\IPGASZIP20240616151600\file001.tmp
| MD5 | 97ac3ef2e098c4cb7dd6ec1d14dc28f1 |
| SHA1 | 3e78e87eefe45f8403e46d94713b6667aee6d9c9 |
| SHA256 | a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1 |
| SHA512 | 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd |
C:\ProgramData\IPGASZIP20240616151600\file000.tmp
| MD5 | b9e0a7cbd7fdb4d179172dbdd453495a |
| SHA1 | 7f1b18a2bee7defa6db4900982fd3311aabed50d |
| SHA256 | cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce |
| SHA512 | 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c |
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
| MD5 | 1630b69bfc6c00695c3dccb605f98254 |
| SHA1 | 19176bba591c452cc417ce59349f370c5be816cd |
| SHA256 | 2ca39bfc3e928b0c36b3d57cf9768f0dcd6283ab3177c981bbd12b605f129c46 |
| SHA512 | cad9169ca2d377c3de59dc5253ff6fb62eaccb4d48958be0ed7911210eeb73712befcd1df4450cdf3872bc8c2631745134ef3b56d5ea956724ec5e7fedb04921 |
memory/1476-240-0x0000000002E30000-0x0000000003C5C000-memory.dmp
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | f52c682f56480f716f67ee8a2108ab21 |
| SHA1 | 7841bb9e117fe479a6ed213e2f3e0aad6624d7a3 |
| SHA256 | 36a2df783f33b4ee2fbe63b9708b678b21563793209938e70241083ac590c07a |
| SHA512 | 0c08bb9502c9757b53f06c9a02e5b31420e0a1bd8934cb6f963e7a169b7f1428dd73e0576fc7cf548b1df1ae4aa6a25147cfc15ee43a92656eb45350b2306439 |
C:\Windows\win.ini
| MD5 | aae430e4fd437114efcbe85fb759f074 |
| SHA1 | 76fd87a466175652859f7f3925c03d6f7ccaaa47 |
| SHA256 | 94f4e0b0d3ede5c26a9fa8a0b80fa21222b4f11657c62fe0c84a8450033e7ddc |
| SHA512 | 36366e0ee89812c3b05f51fdd62f4cd974981ec400cc29730be4d4b756903ca528ef4007c87a1aae5ed59549703fb6fcc55c49557d68f13934663716a6e38e87 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 90b447870feadf5e50d43ca3fb21f4dc |
| SHA1 | 10738e75635b4932d52b36ee00f1f67dc2b1a4a7 |
| SHA256 | 8280932b6286f493ddf3e8a30369be5559c4a435092247e48912e7167a1cc3a3 |
| SHA512 | e04ee6a223eebac67ac8109fc45ff14437cacfa51c29f440b666c66b741741e2c264a605f5a601a91643967a13a0175d0dbb50881be10c6d83f7323e5769cf30 |
C:\Windows\win.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 25a1417a6e0b0a9cbe6f5926d5c34df3 |
| SHA1 | 8e6a38958cba7f1f1e52966b5bf8547efad04e18 |
| SHA256 | 7c7033683d461378f93f9dce9a5f5f7e3dd7e5b8a3e9269602acd7a63ef51cbe |
| SHA512 | 7a398556e550780db29dcfcc2b8a3239cb293fb891247bc1d94356193ddf8ecddc01736d47e44953f2f8549564bae20c1afb752e31ca4da711a5ed75a92b0845 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 20df091865173e0f9e9a80efc6326ab2 |
| SHA1 | 78bc403371f95418b50897659445d01e557effcb |
| SHA256 | 8cd8f41d64c73abdc3042940b8ff0d7d0e036a67c4f0dfe30bec553f09cc1b7d |
| SHA512 | 2eabbc188e8eb4da26d28d6b4abeed07f9a2880fb4d67af29ad59dd37eab01fdb3c6000497a07ce19284f7ef03a0647b86c464dc16efa84762d6d0ae521ceb60 |
C:\Windows\win.ini
| MD5 | a3bb7ddbd7fbb8e33c8589919ad52c71 |
| SHA1 | f97979f34910d71d5133db673ad29bb00ce5a72a |
| SHA256 | a1d6675ac45a923d7308f5257fb84509fbcf568bd123aa6ddabcd9064c40c176 |
| SHA512 | f957819e15eca95b28c47503c2eae5e15019a2f6ae2814a62b556c1a0c1c088e9cb857f7b71b6531536714840fe63d6241b4f12b17bcfdf4f6ab38d77a5b7147 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | b3c82c527df0423a1c0e96ddb3923d99 |
| SHA1 | 1edb3c0c93ff21f9c20592e5b20473e5461a5700 |
| SHA256 | 61521f852ca1726cfd18c12ec88f3857f9fd03cdf046b8116d8df00a874ab88f |
| SHA512 | 919db171a6766f388a7ff11b325c3d26ed9f8ecc1e25d089a5807c29f9b75b7909635c10b18edceed4967d5f2c12ad7d813f8574dda0e2e554ad91bc82aa64e4 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 1867426430a638096e1c00a767b2e3b8 |
| SHA1 | ecb0aa16ed5781124a054ae014e937b1d15009a5 |
| SHA256 | ac5a63688f08bf73086f662f10caf2fe8ed454d440264817bee2e6a3592c3e5d |
| SHA512 | bdb81aee223794d02a830c426c2df1f7b317c182e465ae90053ba300353357516f23f2553858458980ff51a26ced80753702e06523f89a90dd03f06ca44a5e30 |
C:\Windows\win.ini
| MD5 | b9bec6f833970568963c0377c05f6bab |
| SHA1 | 231066cb69c228e6980971c2561c0601271ce8dd |
| SHA256 | e37ac4796f76d64b9bfecbff5d9ebb8edf504d86f0892af76945a6d9ed1b1128 |
| SHA512 | 6b40a072722265e40b6c96c96811c85c54d323b61a9c5832b6fd526998c267cd5ccf1133d31b15e20cccaae0c36238e51039bc0b2d28429faf57bb4a22cbe70c |
C:\Windows\win.ini
| MD5 | f57dbdf50e2357f9aa894ba24556b069 |
| SHA1 | 72fdbb80cb4c7a4e50b483c53830fdecdcdb8da0 |
| SHA256 | 358a8b345d81928e388a0116e47681cccf9b52624be6256216c8516bb70ca1a8 |
| SHA512 | e0182f6e068391dbc6df62d5f56e5d2c518a4eefe62590a0566e40337624c434631c5759eeef6503f316fcd12fc636423a9c2de4a3d62db12dd40fbd92027411 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 9599bf033070b0cd403ea0b9866a715c |
| SHA1 | 5df463a0071f8686004af950cb9f646dbdcd1a44 |
| SHA256 | 11e40464af49c92f88f5ffe9dc91e17f01ae2e69b03328aa1d11f3e3549ae385 |
| SHA512 | 8ce81fa42bd3f73aeb2aa93b17e383269f116063627b0e02e8fb64f6552ae34367726f723832bc52d0de7bf224d4f56c63a8d081ce71c15f503f08a78c20e541 |
C:\Windows\win.ini
| MD5 | b4b95645ee9b61f842f57bc4c31c2ee1 |
| SHA1 | 9dda020d7c8948b33b28fb26792dccc5a3bda266 |
| SHA256 | 8ec701a6ae0549a01ede23588db3565a77cf356be5c27fdef2912183706e1fb6 |
| SHA512 | 51a2097078f55f3ce963a4cd28b4ec6f3bdff28495a5d9eea31525d8a6e5a134b9a6c71df819cd35d363136935dbb37cf5dc9133731b0ecd88072e1594f48940 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 4559a4e5e72758c2143ea2df4fef2d80 |
| SHA1 | de19263f65c84116303455e1b6f7f17a5804106a |
| SHA256 | 539d957148a2d2eb2c6324ddd72b5115565ad2fb4277ff0770a47710034aeb49 |
| SHA512 | 7878aac7567d85ae90502dcc08a68079ea066217c17ba3f1dbf4e5a2bce29b90f8e5868dfee630d50ced0a829cca7547a815272bf4fdeeb3dd8cb9b5f4d6f8ec |
C:\Windows\win.ini
| MD5 | f54a76b80df4384e57f36047f930dca0 |
| SHA1 | f6fb93a209ecc9d8dc1a1cc5f63424de12b57eba |
| SHA256 | 422904914f49a9871d6164c28de57786dffdd08937bfe7ac91406a04e70649e5 |
| SHA512 | fcdad89434c0d617faf65cd5aa5e7a439f754bf0413a742e6195dfbd6a750c56a10fc54c8c616ab2abcab135efcfbf201ed1c632fde44fc0cc2c48782ce2dc05 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | d507eb5245005c37131dd7a28a1d13b8 |
| SHA1 | 5320122b571fa6fd6765240d5b8a2a321207248d |
| SHA256 | 98ee8ec9cf4c9d6b630019a4fc5362eb4ca1da0eb9fb0a748f1e75e5d421ee01 |
| SHA512 | 7e3ab504f742e8a1074cd91569f3ffed29214581d5feb47d38174899040b661796e9bf640e0bdb9a880782b1ee67329ad963da33dff31e364d51bd371e529c82 |
C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass.dat
| MD5 | b4c5a731de7aafc9a8dece224e0db819 |
| SHA1 | 190077d8d59260ec8362b8ef35c6b697dc8ed400 |
| SHA256 | c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37 |
| SHA512 | 120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98 |
C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat
| MD5 | 802914edc8dec4d5414de5bb98601d40 |
| SHA1 | 13fe97de7e7593781a472d95324303e34eab552b |
| SHA256 | 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947 |
| SHA512 | 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | ec0580e0ce62c404d1e7f9054733b880 |
| SHA1 | 8891b974c18fad0c1d85b4cf1044e0fc2bbfe557 |
| SHA256 | f03a3b886b7fdca962205c9b8b9cb4be3bbf3b0954798c37b685bb2736eb4649 |
| SHA512 | 5c835f02d52bf2a81619fe52d24ab811408c976d57c4d17d1af4ab32aca3ab8e363831b55f5c976b9c8109cc41e94b73e92eb959cff1dbd4a2804067ff9db381 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | f76ce1e6823ef205078147113d610b0a |
| SHA1 | 2bf26470ae2b2f0e677cd2655c2953ec420f3301 |
| SHA256 | 18417c20d1e8fe2a0d7d492f82d3edf83a14863186463477c0cdcf0e43dac7a2 |
| SHA512 | 974e958ed96397bbe6fb2d7fed7245d86fb7334230d7730e648192b49712bfcab90b75f081b5bf25ab9f4149e3da431ebca91125a5cfa8806c41f9bb4796b12d |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 1e384a01a121a76b17c8ca2ead8c6341 |
| SHA1 | 6e5aa86c980014bb43c5f57faf912a3269092759 |
| SHA256 | 9d35fa038c9cf67cd7ab8307c82b5176c8b1dd8e2963d4e1e8903613a1fd6fe1 |
| SHA512 | 5477298a3664fa67e208abe7d0a0f57319de3c707905e8a1a5f270a2e7e2b2320a4e347418e8e8a9b10fcf35c1ea73b17c7f2a08a18c54f25a02e0dfc2c818d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 15:15
Reported
2024-06-16 15:18
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ocular\OBtEmulator | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\SCDT | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607718_1_3_41 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607718_3_3_6334 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\OAgentTray | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent\4472 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sdcenter.dll | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\FtTemp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\BroHistory | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\msoapphash5.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Deploy | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Rtft | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\ExData | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Download | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607718_2_3_18467 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_16_15_16_6_240607750_4_3_26500 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\WinPatch | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Dump | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular3Path | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File created | C:\Windows\SysWOW64\bakstec3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\OAgent.ini | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Files | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Temp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\PrintData | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Screen | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Data | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSTemp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\msodhash3.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Mails | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Asset | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TSafeDoc | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Policy | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSMatch | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular3Path\SCDT | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\bakrdgv3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\msoapphash5.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\AgentTask | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\SCDT\DocLog | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\SurvData | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\win.ini | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+ | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+ | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "0" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "0" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000f20c5df75bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000024f61d5b7432e640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000000000001000000100000000000000046004600460046004600460046004600460046004600460030003300300030000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 010000004400410044005900200048004100520044004400490053004b0044004400300030003000310033000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "2589671583" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = 24f61d5b7432e640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe
"C:\Users\Admin\AppData\Local\Temp\5eb7cdf803486d6aed23c404b8e0e005406dee87187f5448299cda30cb3037a6.exe"
C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe
-Unpack-logDir"C:\Users\Admin\AppData\Local\Temp\AgentInstall"-v"4.0.0.13"
C:\Program Files (x86)\Common Files\system\systecv3.exe
"C:\Program Files (x86)\Common Files\system\systecv3.exe"
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| HK | 154.91.64.159:8237 | tcp | |
| HK | 154.91.64.159:8237 | tcp | |
| HK | 154.91.64.159:8237 | tcp |
Files
C:\ProgramData\IPGASKERNEL20240616151600\AKernel3.exe
| MD5 | a5200101cac307b258171be1029c846b |
| SHA1 | d0eabc33191065b17589b6290c6e3a103cfb880b |
| SHA256 | 5f93e8c94746a7729e3e7a93b8436a7d3a6f15123f80ac5ec8b2848b28c42071 |
| SHA512 | 245c893b579769b6456a9684e8dcf41b96832548949d112ea8261b93c9e8f7d1d74b366aa34ca86a5c0fd58e89a43d7ad894565d217cb34c9d73f8fa26bb084f |
C:\Users\Admin\AppData\Local\Temp\AgentInstall\Installation.log
| MD5 | 5b4a2b067819b70c6c5381d8cd3e7f41 |
| SHA1 | c42a3feca754c8ba0705dcbb6cbc3009c5dd7328 |
| SHA256 | c5707a87c6f2158e8bc66b76ec97a8b534ece21c64f9ca1d4de5a52e7066083d |
| SHA512 | 692304c356ce773c1792bcfcf1de62fdbe1761453e4254a95c3cc2ad0ea871def56181ed84c49bb4076b42628e77444d5d76006b66f7109424be311c20668a3f |
C:\ProgramData\IPGASKERNEL20240616151600\SetupData.dat
| MD5 | 674e3c701589408cf61a992619e31a6b |
| SHA1 | 9586bac628f9aecc09ea07cb64d6bfe6274d4f70 |
| SHA256 | 0d712cf727b443ff2d83f92940d7500f5fd133257f167fae4ae03c40b5a14656 |
| SHA512 | af623d5e5ab13c315586084301013e1bbeb3ba0a45378de849cf5523eb468c95f88704e00081c65d06b638c162c91ce6bb15ab9084d90cf0d90abd34fab86039 |
C:\ProgramData\IPGASZIP20240616151600\file000.tmp
| MD5 | b9e0a7cbd7fdb4d179172dbdd453495a |
| SHA1 | 7f1b18a2bee7defa6db4900982fd3311aabed50d |
| SHA256 | cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce |
| SHA512 | 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c |
C:\ProgramData\IPGASZIP20240616151600\file001.tmp
| MD5 | 97ac3ef2e098c4cb7dd6ec1d14dc28f1 |
| SHA1 | 3e78e87eefe45f8403e46d94713b6667aee6d9c9 |
| SHA256 | a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1 |
| SHA512 | 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd |
C:\ProgramData\IPGASZIP20240616151600\file002.tmp
| MD5 | 0aed8f70a00060f8005efa8d1c668b98 |
| SHA1 | c75fe3d1a2476da55f526d366f73bedbfd56f32a |
| SHA256 | 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671 |
| SHA512 | 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787 |
C:\ProgramData\IPGASZIP20240616151600\file003.tmp
| MD5 | 3ae42cb8a028c5be3f57575342bbb56d |
| SHA1 | 2939396b9069d4b46febc047b13ce2c30de7e886 |
| SHA256 | 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609 |
| SHA512 | f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24 |
C:\ProgramData\IPGASZIP20240616151600\file004.tmp
| MD5 | 0cbeb75d3090054817ea4df0773afe35 |
| SHA1 | 58c543a84dc18e21d86ad2c011d8ac726867fb78 |
| SHA256 | 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822 |
| SHA512 | f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c |
C:\ProgramData\IPGASZIP20240616151600\file005.tmp
| MD5 | 889482a07ba13fc6e194a63d275a850a |
| SHA1 | 16a164fded3352abb63722a5c74750cdc438f99a |
| SHA256 | 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0 |
| SHA512 | e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a |
C:\ProgramData\IPGASZIP20240616151600\file006.tmp
| MD5 | fb741fceeb80a76f7f0005a1ac60604a |
| SHA1 | a6a8d97365634b266f0b5a001038a5a86b9ed2d6 |
| SHA256 | c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1 |
| SHA512 | 8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780 |
memory/1984-314-0x0000000001940000-0x000000000276C000-memory.dmp
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 9c9a766237d29b84b125ee11ab6baa2e |
| SHA1 | aafa9a1d9a4c1964c7b770ee6da761c1badf30cd |
| SHA256 | 9ebd2b284c09586d99c400eeb81df92e947dd4590cc9db9098340ab54996c8a4 |
| SHA512 | 74e37ef76477c41de1819effa832915aeaff8a6caeaf846314e365010e74accedda551cd718c0f63b6ddd8eec787484667e27cd56bec7133c2ef5e3413c3656b |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 3b259f8aea1a1d81a371905633458f5d |
| SHA1 | f7740eae1882fd2e0f0fefc034905ef915a89f50 |
| SHA256 | 5d327ac638a9b8809e44e592d3a9d3ba043a36de6bbec54aac6bab96adee5db7 |
| SHA512 | 6cee54681c92a92eb84929de07ef966b1bcbb3a2773571866574b21912c5dc42ae6959b49ae0eb575a5803a65e6c6db3046651329e2c7ffcc4d68904dca56bdf |
C:\Windows\win.ini
| MD5 | 81db57351dbcfece486f2bdd857f3cb6 |
| SHA1 | 6d4840701bc79390773561a47591e6873a6ebedd |
| SHA256 | 12d9a5b63786677d7d80dba79d9d18996ddb9d8fd7caf0c1f50e64f7faba214b |
| SHA512 | 1b82e288eed796a82bb9e48eea5cefac22f8e4fa207b514d41deccd1ce3cc119b767cbc704bdcc230e37dd9f1cf128874d14dda438c423e1b59432bb8e00070f |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | cc326bdfd62060ccae3add4e69541c43 |
| SHA1 | b9eb0779249c984de1fc86e03af4d7170c6b0de0 |
| SHA256 | e8bae60d1b46c5c23290a731d53deae396466d11ff1bab76cf19dd730cf7be61 |
| SHA512 | 28ca5c44dba97f1ff375b2bb740b04a9afacc4707f0ed09268908b4504193d215e8ce3e7c4b483f6c6fbc16568a1a12dfbab3b9159f8446368f6a5aa7530777c |
C:\Windows\win.ini
| MD5 | 1826e8e3820150b8678a720f470d17f2 |
| SHA1 | 5916534f7e4f9db556acf81ba7d81f22b45f1ff8 |
| SHA256 | 688030afeddef00a0dd4aae8be4cac0f9d1e55a58d3457a2b28ccd0d46e4f1ba |
| SHA512 | e6bbcebdc5f8bca3331da3664f3bf7222276354ab2e7e7b4c6906b5fae7f81180a0e64ad9dfef8d1f18304b537fadbb705bb87f8029455d8a2218289e23cf5a6 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 04b38fb45deeedbc5d18c6fd8017222d |
| SHA1 | dbc494f1928751dd6f963905f224b169780dd152 |
| SHA256 | 9fed9422465176d4e43e4d3078678b444d138b2c42659091064e63c6a5785e1a |
| SHA512 | 4a1228518f79bec3bd3f65a46ee3c09883fc884044b682117aa5f100d9cccbea988744d80c7a3b437ba10c028efaf8a0b506ba54ee3e53951c3b5711038e88da |
C:\Windows\win.ini
| MD5 | fc770c1940a1b98fc92a08902c729d74 |
| SHA1 | a739a734e7d4866033d4d8ead2bdbea55a3a2d6e |
| SHA256 | 1fd03a6f7033e76e89213346d3abd8af6d68b2f2d80ddc1f077112be78b4987f |
| SHA512 | d5893751ad98ae8b492d7e7f7db201f2cd0e422a47cf7816f96fa5c7cb93e1ffab16989f17eb51bcde10810b550a251069f15c3d9574cbbf15ab2780069e5493 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 6cc51ce855dd35f5f7a5a79d86353796 |
| SHA1 | 380a640c311a849e24bfb035238955538ba9b592 |
| SHA256 | 474f3e3223ee28534689cedf030ba2ef32d2767108b0bba5876953558859e70d |
| SHA512 | 039172b3d22571d30a2a8a2664ada521f144f1401af49d6b12b0edf6e77591ae95c4cee1b5c013fc892297cf047485f6447e4204e949df6f2339dbe886066a53 |