Analysis Overview
SHA256
3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834
Threat Level: Shows suspicious behavior
The file 3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
System policy modification
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 05:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 05:54
Reported
2024-06-26 05:56
Platform
win7-20240611-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.Winhlpsvr\ = "Service" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.Winhlpsvr | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWow64\Ocular3Path\SCDT | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass_cache2.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msodhash3.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OAgent.ini | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Deploy | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\AgentTask | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSTemp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\AgentTask\AgentTaskList.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\bakstec3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File created | C:\Windows\SysWow64\bakrdgv3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sdcenter.dll | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OPolicy.ini | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass2.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Dump | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_28_259407307_4_3_26500 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_26_5_54_41_259419600_3_3_18467 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_26_5_54_42_259420989_5_3_6334 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\WinPatch | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\SCDT | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_28_259407307_3_3_6334 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msagentclass.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msmailboxidentify_cache.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msoapphash5.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\PrintData | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Asset | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msmidtierserverclass_cache3.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_26_5_54_43_259422377_7_3_26500 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSMatch | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OBtEmulator | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msoapphash5.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass_cache2.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msusersystemservercfgclass.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\FtTemp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\OAgentTray | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata_2024_6_26_5_54_36_259415388_1_3_41 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Mails | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Policy | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\msmailboxcalss_cache.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\msmidtierserverclass_cache3.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Temp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_28_259407307_2_3_18467 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Files | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Data | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\ExData | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWow64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_28_259407307_1_3_41 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular3Path | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Screen | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\SurvData | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TSafeDoc | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\BroHistory | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\TKS\TKSTemp\Agent\2712 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Download | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular3Path\SCDT\SetupAppTemp | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\Ocular\Rtft | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\win.ini | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000000000001000000100000000000000030004600300030004600460046004600460046003000300030003300300030000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471754723" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 010000004400410044005900200048004100520044004400490053004b0044004400300030003000310033000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000010000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b00200044004400300030003000310033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ce8752b95906000000000000000000000000000000000000000000000000000000000000000000000000000000000000c20babdfa733e640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000200000001000000100000000000000030004600300030004600460046004600460046003000300030003300300030000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "0" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "0" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = c20babdfa733e640 | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX = "010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000010000000100000001000000" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "66379" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "999" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\SysWow64\winrdlv3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe
"C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe"
C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe
-Unpack-logDir"C:\Users\Admin\AppData\Local\Temp\AgentInstall"-v"4.0.0.13"
C:\Program Files (x86)\Common Files\system\systecv3.exe
"C:\Program Files (x86)\Common Files\system\systecv3.exe"
C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe C:\Windows\system32\Windows6.1-KB3033929-x64.msu /quiet /norestart
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
C:\Windows\SysWow64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| HK | 206.238.197.227:8237 | tcp |
Files
\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe
| MD5 | a5200101cac307b258171be1029c846b |
| SHA1 | d0eabc33191065b17589b6290c6e3a103cfb880b |
| SHA256 | 5f93e8c94746a7729e3e7a93b8436a7d3a6f15123f80ac5ec8b2848b28c42071 |
| SHA512 | 245c893b579769b6456a9684e8dcf41b96832548949d112ea8261b93c9e8f7d1d74b366aa34ca86a5c0fd58e89a43d7ad894565d217cb34c9d73f8fa26bb084f |
C:\Users\Admin\AppData\Local\Temp\AgentInstall\Installation.log
| MD5 | bab94c15958231936408091bd9db96a6 |
| SHA1 | f8146fa33ad4bbbdbbb23aa42b63ba25f9eac5da |
| SHA256 | 2b52dfc2c32c7f46cf75ddc73ceb5eb73aa7b3e18a451248cdd90513cd81f1c5 |
| SHA512 | d21ce193566ecddbedfbbbfb859e2182db91b281a53d206c1bd7b7fee187cb5149e378bce00c99def777e93f68d62e816f714ae9774ea6c6c59b3af920717208 |
C:\ProgramData\IPGASKERNEL20240626055418\SetupData.dat
| MD5 | 066efeb39cb409d75190333d7113b7bb |
| SHA1 | cf94e5985a0018c979387f6416be99008e10e104 |
| SHA256 | 6519f50db405d1d65254fb55281fecc11a81be5e74492cc466c641ee73924ae8 |
| SHA512 | 2ebdb739581d21bfe7e385abc81afe5032bc17dcae0b6cb6df40be46e9785e8573736503e9f3db3a94940ffae0dba7900acb319ffb53206e42fcbc9efb515470 |
C:\ProgramData\IPGASZIP20240626055418\file001.tmp
| MD5 | 97ac3ef2e098c4cb7dd6ec1d14dc28f1 |
| SHA1 | 3e78e87eefe45f8403e46d94713b6667aee6d9c9 |
| SHA256 | a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1 |
| SHA512 | 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd |
C:\ProgramData\IPGASZIP20240626055418\file000.tmp
| MD5 | b9e0a7cbd7fdb4d179172dbdd453495a |
| SHA1 | 7f1b18a2bee7defa6db4900982fd3311aabed50d |
| SHA256 | cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce |
| SHA512 | 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c |
C:\ProgramData\IPGASZIP20240626055418\file002.tmp
| MD5 | 0aed8f70a00060f8005efa8d1c668b98 |
| SHA1 | c75fe3d1a2476da55f526d366f73bedbfd56f32a |
| SHA256 | 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671 |
| SHA512 | 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787 |
C:\ProgramData\IPGASZIP20240626055418\file004.tmp
| MD5 | 0cbeb75d3090054817ea4df0773afe35 |
| SHA1 | 58c543a84dc18e21d86ad2c011d8ac726867fb78 |
| SHA256 | 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822 |
| SHA512 | f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c |
C:\ProgramData\IPGASZIP20240626055418\file005.tmp
| MD5 | 889482a07ba13fc6e194a63d275a850a |
| SHA1 | 16a164fded3352abb63722a5c74750cdc438f99a |
| SHA256 | 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0 |
| SHA512 | e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a |
C:\ProgramData\IPGASZIP20240626055418\file006.tmp
| MD5 | fb741fceeb80a76f7f0005a1ac60604a |
| SHA1 | a6a8d97365634b266f0b5a001038a5a86b9ed2d6 |
| SHA256 | c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1 |
| SHA512 | 8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780 |
C:\ProgramData\IPGASZIP20240626055418\file003.tmp
| MD5 | 3ae42cb8a028c5be3f57575342bbb56d |
| SHA1 | 2939396b9069d4b46febc047b13ce2c30de7e886 |
| SHA256 | 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609 |
| SHA512 | f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24 |
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/976-240-0x0000000002E50000-0x0000000003C7C000-memory.dmp
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | d9cbbf1249fe528a5e9a9d4d38ba6fa1 |
| SHA1 | 476296561812833117887cbe97adc00962495d3e |
| SHA256 | cbfff21bae95f97f8f80a34692d6c3b84ed7ac31a994acf5786dea4fb7f8237e |
| SHA512 | a5a663aa4699bfc55b491d91a76b7320ebbba9801db505780b928991965e299247d79b6ff10bcb63de62f41f7aa32dd7398eccbe6d2caba5406aa121974a7ca9 |
C:\Windows\win.ini
| MD5 | 460648c86df5a052a00544eed5f3448d |
| SHA1 | d6a7114cf35c33f1f386c5025496ab24f1ecc3ca |
| SHA256 | 128e5f50413474fb42088cf6fffbee04aab759a65fd30d07c651ef9d23a5cafa |
| SHA512 | a6f732019f59a5515549233aa7f5160af248f561a9046d7619eeb0bd00066fbc916496754d287dc351909d52fd2caf07531c7681407b946b49525fb13f4068de |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 54054e4ea5db13ff8debb3639abcad27 |
| SHA1 | 014b36c44ac19b9a8299a856682b0d440eb079fa |
| SHA256 | 22bed656fc7bbaf0bdcaead95bb3894e5da1b1e2b38799d12f891f8d290d37d9 |
| SHA512 | 6034937898296031510c2f1abb84daa49faadae056584d07cae818219a465f64fc467c5d9072d589657c768fbaea42b1af3cae207eaccacc22161d65c81b71d4 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | df0db5827d71dadd199cac67470ba437 |
| SHA1 | 1e3c27a3295158797c298bec86819227f6617630 |
| SHA256 | 5ed46ecf6b3e89fa1451432e24661de065e0c644ce2c598d0011f9802b9689e0 |
| SHA512 | 7b5f2d97222b195e15fb3aed5c4dcd16bf46766451bd8a6a7d7b54770f62790a1a3cb5b8f26fa651e2984556a91e6d3a2e5694530c18fd010414c5b57d414801 |
C:\Windows\win.ini
| MD5 | 282cb8220d2c7a120f087d379784f830 |
| SHA1 | 464ec3ce2d260dc2e914926df0dc02ecda5453aa |
| SHA256 | d572067c62ebe0fd6f30c25e27d3131af032bcd82453e5faae9a5604c0198ec7 |
| SHA512 | e5d7eb040117c2f7920834b461e973635856ca327b91fc1618c19c71d88d59b4cfe11f8cba36f0d455875e0d7f77263d85fd573ee552c2446c1350a501d942ea |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 11d284b206a9261cc8cfcc6219ea4dc7 |
| SHA1 | 8087de4b9e388e5664e18596b6ba736141ee377e |
| SHA256 | 9bb61b144d4657d79ddffd9857c147fa33de19930e714c0fa5b57b2c638c1572 |
| SHA512 | 9bcf77e9beb88b85a005150ad3921b1f6b5a453a10a1a7cc2f42a67a6a287f790ed00a0676405930bdd5507707ca1a69276c0878f607021a9dfdf8bb3dd4b0b2 |
C:\Windows\win.ini
| MD5 | 0fdfee1b3a3d130fcef68c7ce8f23f4c |
| SHA1 | 3c2018dbfbb5bb1aab83891f6361bcd52c01b054 |
| SHA256 | de83b03d8d4ddfc840d871665fbe8ee282a2be61628f734352c55e227c82b23d |
| SHA512 | de898001928cfafb57c5321ff13d240801688f0e1ae915f4b61085e72ccb6d3368e6bbfcac654bb60f0de94289a526db9afc6ca113f41d57750fb7e6b510baec |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | f35bae32a5966e4ccda6dcc08ceaba4d |
| SHA1 | df654c410d67573777375bd6a071eabfb2bf2ec6 |
| SHA256 | 5ddd6df73179955a6d9ad4f4861d6250f296d3f36e1baa912c212778e3ff2173 |
| SHA512 | 5e5d49b50af0a08046d664014b1135b42bb201fe5f87f28badbc3564269f18da301a27e4a4008ba4a40af63452bf84c1d6c4c1f38860ce86e0bce08d8ddd5db3 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 1c5ca4e236a00cd5c5e67ca11eb7d040 |
| SHA1 | 52b50c0591631eeb8490f6650731f4ee213f90f3 |
| SHA256 | ea2f2922097ab3ab294a7340f40ec6c024c09e0e80ec40355ed13b808227d203 |
| SHA512 | 7576168a8d529dd4a892f7ea0aa66676529a65f033f363d74ecc6af59f3ce0403b622da5c5a3499fac75854f21f386bc623f1d9e7168f2e16295e49aab880888 |
C:\Windows\win.ini
| MD5 | a7a9a31f353b72ae20d6f8e830d0a5d5 |
| SHA1 | 7028742eada6d6b02a6883a025e667f0805a8e37 |
| SHA256 | 4747df68ab2ab5eab3ab115e900a8f6ee7c41a9c38bec01ddd58226d78791463 |
| SHA512 | 3df09f447066c8372e014bce9eac374f314435546b067a9c6c5c57b7594d1dcbc137a9b512f755e2049e602d3b38c6ef4b9e2d9114d588c8d6217d081ddd6306 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | db4b465195556577f67a519f8d2a6da2 |
| SHA1 | 98261c9784bb8c56b1e9b1a72b97dee8eadef906 |
| SHA256 | bb3a79e7114f0d7f9dfc98cc1ee48085e7bbac8ee507db6b9f7fae68a89387d9 |
| SHA512 | 75a1d649dcee382ad0013297bdf195e129172dc15825a6f0243f044c709de0952a29eee08a2602dd3fd8feb1484f01f22477035ea947e1093a40ebef9639befe |
C:\Windows\win.ini
| MD5 | 9e0e0e83b1e1266db916048a3f48ec0e |
| SHA1 | 022782e867be9661e818994dd8369b696e60d718 |
| SHA256 | 5520253da5448ad0d10678de0ec11f7c26239fe80d2f946eabcac8bfd297a671 |
| SHA512 | 87b07f82cf6184eb2ad54fbf9c96fcf8c5dcf4805943e7c40ddceef9ef847c57e6bc6570d9e8d3f48dfbd58e894b9b0a2b7172f2eb56d769fe7e4f32b9866bbc |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 6821d7c7158689af37a5313cc12bb2c8 |
| SHA1 | daca686151db59308250b3d76c5bf8421edb4e9d |
| SHA256 | 0335c54221fa1cfe91659552e7bcf1264caa58249448838e2ad3fcdbb9fd7591 |
| SHA512 | 35e715517f4778e53d7d157640c581a7df67706882d862841fc27d9330c78282f939601658c63118f00db82cf525ee3f7a7ea573491c75bffe629beda500ca87 |
C:\Windows\win.ini
| MD5 | b361d25d14d763c97a725abbabeb68cf |
| SHA1 | 31d50949f6b99b8bbe9c46a9ddefc9a2327c38eb |
| SHA256 | db312cce8c12cd544f3dd49c57361e9b89c1393f709c8efbf3b15bfc59bbc998 |
| SHA512 | 20b0d88a568d85bf9dc4e6c2a5202cd1b6ff7e290378031acef89af11fb39934d339a4073784d5a1d001b4fe409988c701dc60fc27ae3fdd1ba841c94b0ba3c3 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 11996c7ae71c8f78a79570655dc569b9 |
| SHA1 | eb4cf3e4e744d07ce6198c40928edeaeca72a2d8 |
| SHA256 | 3c42c204bf7a7f81b2d03b6e9d6723f4cbd9ae13938e86860f45050dc6b20eb2 |
| SHA512 | 15a1324972c9e65f4882509cfb1fda2e58ad95b3948585bbebaf349f88b2919c3a933b0ea32aa884970cf423523282ea6c1441f63237345d381507d77684635c |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | d4a8a758c52db55a76aa1df33f4e0461 |
| SHA1 | 10d8d477cc7eb90ae09f70ae62908b2445cc8810 |
| SHA256 | a8348483cd1c4d80e260cc5ec15fdc543dd67ded1274dca894d67ddf915831b0 |
| SHA512 | 1a21948eb5844af616c10235dd802856dcc5dc41a7902ffe5aff8c667e70afb1bc9b55f0ab464c0bbd6597f8ed66db8f6d69e31338c488e7b6d226b9e2f9d008 |
C:\Windows\win.ini
| MD5 | aead14ba2aa5abd410a706b1941b406b |
| SHA1 | bd5368d7aa9bf0f3bfa165876877427e906695b3 |
| SHA256 | e29c2fc73269dd59009f42b7665c206ed8e5e011785eb136cfd72c6da8fd8687 |
| SHA512 | b0c7ce1238badaa11685d2af128516099aea6419e0d05092ee8397d92202717a944ea8f3e4b9cb692ce799512bf66d107eedf9864dc17f7f232a7b44a5f25eda |
C:\Windows\SysWOW64\Ocular\msusersystemservercfgclass.dat
| MD5 | b4c5a731de7aafc9a8dece224e0db819 |
| SHA1 | 190077d8d59260ec8362b8ef35c6b697dc8ed400 |
| SHA256 | c4b9f8c964f351f470cfb1734631489c055af13bb8b2df5cc477f2531b476d37 |
| SHA512 | 120a7c2f964c2228c3546aa5e2a25862530e373812b99613b3d7ab763a267ba8dc49f108eeafc7b5246c6eb70b2099078345b8411e01e6450b47900e6981ef98 |
C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat
| MD5 | 802914edc8dec4d5414de5bb98601d40 |
| SHA1 | 13fe97de7e7593781a472d95324303e34eab552b |
| SHA256 | 01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947 |
| SHA512 | 64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | ec0580e0ce62c404d1e7f9054733b880 |
| SHA1 | 8891b974c18fad0c1d85b4cf1044e0fc2bbfe557 |
| SHA256 | f03a3b886b7fdca962205c9b8b9cb4be3bbf3b0954798c37b685bb2736eb4649 |
| SHA512 | 5c835f02d52bf2a81619fe52d24ab811408c976d57c4d17d1af4ab32aca3ab8e363831b55f5c976b9c8109cc41e94b73e92eb959cff1dbd4a2804067ff9db381 |
C:\Windows\SysWOW64\Ocular\OPolicy.ini
| MD5 | 4c710e65066c84e54b5b6dd0a17f9836 |
| SHA1 | 4f27d70618deb87915d5fe4af84e0b408ec01426 |
| SHA256 | 1cdcd5035586e4f95dbb046e516f804d7ff5e4c14016830115726074b05e2136 |
| SHA512 | 7e29ba5b2b5f19d241319cb6ccee632cc45f35716a2d60b23816b87a5a03d2f060d0e6625c10e35f6c27d4d07cc4c82e31ac212ec55880cccbd41c75c71dd654 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | b410dadf44b0318a57358bc3ca46fea4 |
| SHA1 | 6b185ea6e89219318f5ce2e857c59252ac5cbbaf |
| SHA256 | 46faab62eeb1c93e9f6e737a25e935f18711d5b24de280a37273ddc80985dd6d |
| SHA512 | 4a53f00694d72bcc6d70d23b13482d2cdc437713352a79b8ef3d202db8a2b8ea7987daee068898a02942ed05c8f634d0c3153c4f960f5a92b191e5c70053da02 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 05:54
Reported
2024-06-26 05:56
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.Winhlpsvr | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\.Winhlpsvr\ = "Service" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ocular3Path | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_23_240623375_1_3_41 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Temp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSTemp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular3Path\SCDT\SetupAppTemp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Screen | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\SurvData | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_23_240623375_4_3_26500 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File created | C:\Windows\SysWOW64\bakrdgv3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Files | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Deploy | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\SCDT\DocLog | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\bakstec3.sys | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\msodhash3.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\FtTemp | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TSafeDoc | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\SCDT | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular3Path\SCDT | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSTemp\Agent\2372 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_23_240623375_2_3_18467 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\PrintData | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\ExData | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS\TKSMatch | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\BroHistory | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\ExData\ocular_exdata2_2024_6_26_5_54_23_240623375_3_3_6334 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\TKS | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocular\msoapphash5.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Mails | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Data | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Asset | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\OBtEmulator | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Download | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sdcenter.dll | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Rtft | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Dump | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\Policy | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\OAgentTray | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\OAgent.ini | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\WinPatch | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\AgentTask | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocular\msoapphash5.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakSCClient.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakThirdPartyLib.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakCertList.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\win.ini | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakCameraPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakDWM.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| File opened for modification | C:\Windows\bakTKSPack.dat | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| File opened for modification | C:\Windows\bakTStartMenu.dat | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DiskDADY____________HARDDISK2.5+ | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRomQEMU____QEMU_DVD-ROM____2.5+ | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\System\winrdgv3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SSASN = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo = 010000004400410044005900200048004100520044004400490053004b0044004400300030003000310033000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE4 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIPD = "4294967295" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\InstallTime = c20babdfa733e640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\GID = "0" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SNameSID = "4294967295" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 000000000000000006000000020000000200000043003a005c00570049004e0044004f005700530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004400410044005900200048004100520044004400490053004b002000440044003000300030003100330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000005a63b3ea338b000000000000000000000000000000000000000000000000000000000000000000000000000000000000c20babdfa733e640 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE3 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AID = "0" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SIP = "3471754723" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\SName = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\AIDInfo2 = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSEEX | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN = 0000000000000000214e000000000000000000000000000001000000100000000000000030004600300030004600460046004600460046003000300030003300300030000000 | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B} | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\OUTOFLICENSE2 = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\system\systecv3.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe | N/A |
| N/A | N/A | C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\SysWOW64\winrdlv3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe
"C:\Users\Admin\AppData\Local\Temp\3cfb38bd5abcc46a466a6650c69d21f09cf032c838d3f55b9bc342488f4e7834.exe"
C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe
-Unpack-logDir"C:\Users\Admin\AppData\Local\Temp\AgentInstall"-v"4.0.0.13"
C:\Program Files (x86)\Common Files\system\systecv3.exe
"C:\Program Files (x86)\Common Files\system\systecv3.exe"
C:\Program Files (x86)\Common Files\System\winrdgv3.exe
"C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
C:\Windows\SysWOW64\winrdlv3.exe
C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
Network
| Country | Destination | Domain | Proto |
| HK | 206.238.197.227:8237 | tcp | |
| HK | 206.238.197.227:8237 | tcp | |
| HK | 206.238.197.227:8237 | tcp |
Files
C:\ProgramData\IPGASKERNEL20240626055418\AKernel3.exe
| MD5 | a5200101cac307b258171be1029c846b |
| SHA1 | d0eabc33191065b17589b6290c6e3a103cfb880b |
| SHA256 | 5f93e8c94746a7729e3e7a93b8436a7d3a6f15123f80ac5ec8b2848b28c42071 |
| SHA512 | 245c893b579769b6456a9684e8dcf41b96832548949d112ea8261b93c9e8f7d1d74b366aa34ca86a5c0fd58e89a43d7ad894565d217cb34c9d73f8fa26bb084f |
C:\Users\Admin\AppData\Local\Temp\AgentInstall\Installation.log
| MD5 | 8d30c111b98d70be84a62fc484577e40 |
| SHA1 | f53b6b39b34e2a907a710679fc12cb058f495b1e |
| SHA256 | 81942bbdff180126851894fc202cc192992f02262af1b2fa89d474fe2296da60 |
| SHA512 | 452e9ec933b29aac9fb157cbb44d00465227466b4442c3c0d6ed08c417a8047b081334837b8d733f6b72978c01eabde51e8aadb5db89a02bcc62f901f8f03736 |
C:\ProgramData\IPGASKERNEL20240626055418\SetupData.dat
| MD5 | 066efeb39cb409d75190333d7113b7bb |
| SHA1 | cf94e5985a0018c979387f6416be99008e10e104 |
| SHA256 | 6519f50db405d1d65254fb55281fecc11a81be5e74492cc466c641ee73924ae8 |
| SHA512 | 2ebdb739581d21bfe7e385abc81afe5032bc17dcae0b6cb6df40be46e9785e8573736503e9f3db3a94940ffae0dba7900acb319ffb53206e42fcbc9efb515470 |
C:\ProgramData\IPGASZIP20240626055418\file000.tmp
| MD5 | b9e0a7cbd7fdb4d179172dbdd453495a |
| SHA1 | 7f1b18a2bee7defa6db4900982fd3311aabed50d |
| SHA256 | cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce |
| SHA512 | 720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c |
C:\ProgramData\IPGASZIP20240626055418\file001.tmp
| MD5 | 97ac3ef2e098c4cb7dd6ec1d14dc28f1 |
| SHA1 | 3e78e87eefe45f8403e46d94713b6667aee6d9c9 |
| SHA256 | a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1 |
| SHA512 | 693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd |
C:\ProgramData\IPGASZIP20240626055418\file002.tmp
| MD5 | 0aed8f70a00060f8005efa8d1c668b98 |
| SHA1 | c75fe3d1a2476da55f526d366f73bedbfd56f32a |
| SHA256 | 326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671 |
| SHA512 | 738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787 |
C:\ProgramData\IPGASZIP20240626055418\file003.tmp
| MD5 | 3ae42cb8a028c5be3f57575342bbb56d |
| SHA1 | 2939396b9069d4b46febc047b13ce2c30de7e886 |
| SHA256 | 0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609 |
| SHA512 | f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24 |
C:\ProgramData\IPGASZIP20240626055418\file005.tmp
| MD5 | 889482a07ba13fc6e194a63d275a850a |
| SHA1 | 16a164fded3352abb63722a5c74750cdc438f99a |
| SHA256 | 799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0 |
| SHA512 | e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a |
C:\ProgramData\IPGASZIP20240626055418\file006.tmp
| MD5 | fb741fceeb80a76f7f0005a1ac60604a |
| SHA1 | a6a8d97365634b266f0b5a001038a5a86b9ed2d6 |
| SHA256 | c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1 |
| SHA512 | 8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780 |
C:\ProgramData\IPGASZIP20240626055418\file004.tmp
| MD5 | 0cbeb75d3090054817ea4df0773afe35 |
| SHA1 | 58c543a84dc18e21d86ad2c011d8ac726867fb78 |
| SHA256 | 453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822 |
| SHA512 | f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c |
memory/3752-314-0x0000000001930000-0x000000000275C000-memory.dmp
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 3adeb5955ff82e0f19fdb97106ac0d20 |
| SHA1 | 944c206f701c97f55a9806eef8ab1d658e7fea70 |
| SHA256 | 61c5b61e568a4f98e3d74d673e33faa641a233df95602864820ee55b9813f2bf |
| SHA512 | e79fdfb0ef751f79e1ac28eb44f6f918e11ffea69cbb1cb4b9d15447761c299ab62951c9c157a72bd78636ef79e5b0e9020d92525d844a867ea0bbae0a39ed21 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 9fbc756e7aedbb53411d2a719506d548 |
| SHA1 | 63fd45a9dbe06dd7278ce6bdb8596f127bde040e |
| SHA256 | e1af006276280091581c72023ff92070806002ee21906c99458613f51cef8d7a |
| SHA512 | 42375773886555d77ef9a109d1df999483ac478a04543421924748d8e5276246d2826364778ca059983d9a78c3931cc918fafceb891af6acdea944817e07885b |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | e57e96152d002e10daf1c8adbe147c8c |
| SHA1 | d8c1dc53ddbfb1fd2523de25fa34490a4ccf3f95 |
| SHA256 | b9dd24493f34ce2b93d595dbcfef0f8e7ff47b70dc6a4b18879f3ac2a139d3f3 |
| SHA512 | 99ba6224f2b84dbb37390801a27de53e81b692041ef518cd34a4a822dbd896f9599fd4939251e858a6103280909fc4fd498c67040ac3e94f8634683bd6231f31 |
C:\Windows\win.ini
| MD5 | 9a131d68bb96121e4294123b6634baeb |
| SHA1 | 4979db0cf416e492469f8bd4dfde036c852ba380 |
| SHA256 | ae743d440526e331eac2dca845d739a1a3272e04c4956908ef316fa8b4c52797 |
| SHA512 | f51766ce67ee83fa9b7c93ca07fb5e9f15527d16c338ab2a729fee9bc113f48ab2617213bf98ac184ce1e0781ccbdeb44a2f4624178ae8ccb6c91afbe94181c3 |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | fa522a632bf4d05b3291ba569c42a5b3 |
| SHA1 | 9efbcf4c83be4836277a23d402e94c2d4ecf0f9f |
| SHA256 | 2a8808a3e67c839a723ea3295d0922e6180a2f965bc8a7ee880fe3a47b309b49 |
| SHA512 | 529f03e0d8c159b34ed174c3583af6175da7bf84a09558884ba53148d55feb4637480bbc3ff68cf90bd7e2992a1a1532843eab4d7676af153d9efd29ce08768b |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | bc5ea1d01deb6511ec56c8a741a72f8e |
| SHA1 | f924e72695a5797d2b25e14ac260907b1a354b3a |
| SHA256 | 6a31f43384a222e6658adbdfff7607ac09887277b37bef2e9e7b355198d2d12f |
| SHA512 | 5ec1651e7bff9cf6bacd8e4d95b73591fa57becd2b0e1a89511515c06f3caf06ba383c74e4b9e621f65b34fe4de0b6fd9f82548bd453106d98f872977db46f08 |
C:\Windows\win.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Ocular\OAgent.ini
| MD5 | 46b98fad1fffaa74aa6a3ffc7dca4cb6 |
| SHA1 | c02362a88f3ff5bba877deef9daaa4032aa1baf5 |
| SHA256 | 1edb880e90f77d2e3db79d996b6904bd0720b66435e6db43d04f3646a850d55d |
| SHA512 | b6e3fba6bc400c76e570a0bff8eeea1247f69e6f0c72ab909d4cbb9322e92cb054dd53234c89fba539eb42cd9e205f7f49bc5a2fc08a93715d33841fe008d44e |