asyncrat | 31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

Analysis

max time kernel
72s
max time network
141s
platform
windows7_x64
resource
win7v20201028
submitted
10-02-2021 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mscalc.exe
Size

6.2MB
MD5

8da1beb8d0bd395cb183333e391269f2
SHA1

c1a7321e85ce8a80febecab35fe3a926bd4478fe
SHA256

31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84
SHA512

c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

Score

10^/10

asyncrat darkcomet warzonerat 2021new-feb-444 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2021New-FEB-444

andronmatskiv20.sytes.net:35887

Mutex

DC_MUTEX-AXAUMCZ

Attributes

InstallPath
winskype.exe
gencode
YTK5uJnaoYn7
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
skypes

Extracted

Family

asyncrat

Version

0.5.6A

185.128.25.29:6606

185.128.25.29:8808

185.128.25.29:7707

Mutex

eruhbfgfe87

Attributes

aes_key
N90w8WPVT07mnspqHrDf4BSY88bVY3r9
anti_detection
false
autorun
true
bdos
true
delay
host
185.128.25.29
hwid
install_file
install_folder
%AppData%
mutex
eruhbfgfe87
pastebin_config
null
port
6606,8808,7707
version
0.5.6A

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

mscalc.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\winskype.exe"	mscalc.EXE

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1656-129-0x0000000000650000-0x000000000065C000-memory.dmp	asyncrat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/972-112-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/972-115-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/972-121-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2320-202-0x0000000000405CE2-mapping.dmp	warzonerat

Drops file in Drivers directory 1 IoCs

Processes:

mscalc.EXE

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts mscalc.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mscalc.EXE

Executes dropped EXE 10 IoCs

Processes:

AMDCPUL.EXEAUDIOMLE.EXEMONITRGB.EXESERVWINLE.EXETVLSWPLE.EXEVIDEOGPU.EXEWINDRVAMS.EXEwinskype.exesvhtiwes.exesvhtiwes.exe

pid	process
1648	AMDCPUL.EXE
1656	AUDIOMLE.EXE
1280	MONITRGB.EXE
580	SERVWINLE.EXE
1332	TVLSWPLE.EXE
924	VIDEOGPU.EXE
1624	WINDRVAMS.EXE
880	winskype.exe
1452	svhtiwes.exe
1652	svhtiwes.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1652-74-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/1652-84-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral1/memory/1828-114-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1828-122-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1564 notepad.exe

pid	process
1564	notepad.exe

Loads dropped DLL 14 IoCs

Processes:

mscalc.EXEAMDCPUL.EXE

pid	process
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1440	mscalc.EXE
1648	AMDCPUL.EXE
1648	AMDCPUL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mscalc.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\skypes = "C:\\Users\\Admin\\Documents\\winskype.exe"	mscalc.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

mscalc.exeAMDCPUL.EXE

description	pid	process	target process
PID 1040 set thread context of 1440	1040	mscalc.exe	mscalc.EXE
PID 1648 set thread context of 1652	1648	AMDCPUL.EXE	svhtiwes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

AMDCPUL.EXE

pid process

1648 AMDCPUL.EXE
1648 AMDCPUL.EXE
1648 AMDCPUL.EXE
1648 AMDCPUL.EXE
1648 AMDCPUL.EXE
1648 AMDCPUL.EXE
1648 AMDCPUL.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

mscalc.EXEAMDCPUL.EXEMONITRGB.EXEsvhtiwes.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1440	mscalc.EXE
Token: SeSecurityPrivilege	1440	mscalc.EXE
Token: SeTakeOwnershipPrivilege	1440	mscalc.EXE
Token: SeLoadDriverPrivilege	1440	mscalc.EXE
Token: SeSystemProfilePrivilege	1440	mscalc.EXE
Token: SeSystemtimePrivilege	1440	mscalc.EXE
Token: SeProfSingleProcessPrivilege	1440	mscalc.EXE
Token: SeIncBasePriorityPrivilege	1440	mscalc.EXE
Token: SeCreatePagefilePrivilege	1440	mscalc.EXE
Token: SeBackupPrivilege	1440	mscalc.EXE
Token: SeRestorePrivilege	1440	mscalc.EXE
Token: SeShutdownPrivilege	1440	mscalc.EXE
Token: SeDebugPrivilege	1440	mscalc.EXE
Token: SeSystemEnvironmentPrivilege	1440	mscalc.EXE
Token: SeChangeNotifyPrivilege	1440	mscalc.EXE
Token: SeRemoteShutdownPrivilege	1440	mscalc.EXE
Token: SeUndockPrivilege	1440	mscalc.EXE
Token: SeManageVolumePrivilege	1440	mscalc.EXE
Token: SeImpersonatePrivilege	1440	mscalc.EXE
Token: SeCreateGlobalPrivilege	1440	mscalc.EXE
Token: 33	1440	mscalc.EXE
Token: 34	1440	mscalc.EXE
Token: 35	1440	mscalc.EXE
Token: SeDebugPrivilege	1648	AMDCPUL.EXE
Token: SeDebugPrivilege	1280	MONITRGB.EXE
Token: SeIncreaseQuotaPrivilege	1652	svhtiwes.exe
Token: SeSecurityPrivilege	1652	svhtiwes.exe
Token: SeTakeOwnershipPrivilege	1652	svhtiwes.exe
Token: SeLoadDriverPrivilege	1652	svhtiwes.exe
Token: SeSystemProfilePrivilege	1652	svhtiwes.exe
Token: SeSystemtimePrivilege	1652	svhtiwes.exe
Token: SeProfSingleProcessPrivilege	1652	svhtiwes.exe
Token: SeIncBasePriorityPrivilege	1652	svhtiwes.exe
Token: SeCreatePagefilePrivilege	1652	svhtiwes.exe
Token: SeBackupPrivilege	1652	svhtiwes.exe
Token: SeRestorePrivilege	1652	svhtiwes.exe
Token: SeShutdownPrivilege	1652	svhtiwes.exe
Token: SeDebugPrivilege	1652	svhtiwes.exe
Token: SeSystemEnvironmentPrivilege	1652	svhtiwes.exe
Token: SeChangeNotifyPrivilege	1652	svhtiwes.exe
Token: SeRemoteShutdownPrivilege	1652	svhtiwes.exe
Token: SeUndockPrivilege	1652	svhtiwes.exe
Token: SeManageVolumePrivilege	1652	svhtiwes.exe
Token: SeImpersonatePrivilege	1652	svhtiwes.exe
Token: SeCreateGlobalPrivilege	1652	svhtiwes.exe
Token: 33	1652	svhtiwes.exe
Token: 34	1652	svhtiwes.exe
Token: 35	1652	svhtiwes.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

mscalc.exeSERVWINLE.EXEVIDEOGPU.EXEAcroRd32.exewinskype.exe

pid process

1040 mscalc.exe
580 SERVWINLE.EXE
924 VIDEOGPU.EXE
1832 AcroRd32.exe
1832 AcroRd32.exe
880 winskype.exe

pid	process
1040	mscalc.exe
580	SERVWINLE.EXE
924	VIDEOGPU.EXE
1832	AcroRd32.exe
1832	AcroRd32.exe
880	winskype.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mscalc.exemscalc.EXE

description	pid	process	target process
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1040 wrote to memory of 1440	1040	mscalc.exe	mscalc.EXE
PID 1440 wrote to memory of 1648	1440	mscalc.EXE	AMDCPUL.EXE
PID 1440 wrote to memory of 1648	1440	mscalc.EXE	AMDCPUL.EXE
PID 1440 wrote to memory of 1648	1440	mscalc.EXE	AMDCPUL.EXE
PID 1440 wrote to memory of 1648	1440	mscalc.EXE	AMDCPUL.EXE
PID 1440 wrote to memory of 1656	1440	mscalc.EXE	AUDIOMLE.EXE
PID 1440 wrote to memory of 1656	1440	mscalc.EXE	AUDIOMLE.EXE
PID 1440 wrote to memory of 1656	1440	mscalc.EXE	AUDIOMLE.EXE
PID 1440 wrote to memory of 1656	1440	mscalc.EXE	AUDIOMLE.EXE
PID 1440 wrote to memory of 1832	1440	mscalc.EXE	AcroRd32.exe
PID 1440 wrote to memory of 1832	1440	mscalc.EXE	AcroRd32.exe
PID 1440 wrote to memory of 1832	1440	mscalc.EXE	AcroRd32.exe
PID 1440 wrote to memory of 1832	1440	mscalc.EXE	AcroRd32.exe
PID 1440 wrote to memory of 1280	1440	mscalc.EXE	MONITRGB.EXE
PID 1440 wrote to memory of 1280	1440	mscalc.EXE	MONITRGB.EXE
PID 1440 wrote to memory of 1280	1440	mscalc.EXE	MONITRGB.EXE
PID 1440 wrote to memory of 1280	1440	mscalc.EXE	MONITRGB.EXE
PID 1440 wrote to memory of 580	1440	mscalc.EXE	SERVWINLE.EXE
PID 1440 wrote to memory of 580	1440	mscalc.EXE	SERVWINLE.EXE
PID 1440 wrote to memory of 580	1440	mscalc.EXE	SERVWINLE.EXE
PID 1440 wrote to memory of 580	1440	mscalc.EXE	SERVWINLE.EXE
PID 1440 wrote to memory of 1332	1440	mscalc.EXE	TVLSWPLE.EXE
PID 1440 wrote to memory of 1332	1440	mscalc.EXE	TVLSWPLE.EXE
PID 1440 wrote to memory of 1332	1440	mscalc.EXE	TVLSWPLE.EXE
PID 1440 wrote to memory of 1332	1440	mscalc.EXE	TVLSWPLE.EXE
PID 1440 wrote to memory of 924	1440	mscalc.EXE	VIDEOGPU.EXE
PID 1440 wrote to memory of 924	1440	mscalc.EXE	VIDEOGPU.EXE
PID 1440 wrote to memory of 924	1440	mscalc.EXE	VIDEOGPU.EXE
PID 1440 wrote to memory of 924	1440	mscalc.EXE	VIDEOGPU.EXE
PID 1440 wrote to memory of 1624	1440	mscalc.EXE	WINDRVAMS.EXE
PID 1440 wrote to memory of 1624	1440	mscalc.EXE	WINDRVAMS.EXE
PID 1440 wrote to memory of 1624	1440	mscalc.EXE	WINDRVAMS.EXE
PID 1440 wrote to memory of 1624	1440	mscalc.EXE	WINDRVAMS.EXE
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 1564	1440	mscalc.EXE	notepad.exe
PID 1440 wrote to memory of 880	1440	mscalc.EXE	winskype.exe

C:\Users\Admin\AppData\Local\Temp\mscalc.exe
"C:\Users\Admin\AppData\Local\Temp\mscalc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\mscalc.EXE
"C:\Users\Admin\AppData\Local\Temp\mscalc.EXE"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
"C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:1596

C:\Users\Admin\Documents\skype64.exe
"C:\Users\Admin\Documents\skype64.exe"
5⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo425\svhtiwes.exe
"C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo425\svhtiwes.exe"
6⤵
PID:2092

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
"C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe"
4⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE"
3⤵
- Executes dropped EXE
PID:1656

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.PDF"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
"C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
"C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe"
4⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
"C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe" 1424
5⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
"C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe"
6⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580

C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE"
4⤵
PID:1828

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:1908

C:\Users\Admin\Documents\rarl.exe
"C:\Users\Admin\Documents\rarl.exe"
5⤵
PID:1244

C:\Users\Admin\Documents\rarl.EXE
"C:\Users\Admin\Documents\rarl.EXE"
6⤵
PID:2288

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE
"C:\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE"
3⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
"C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
"C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE"
4⤵
PID:972

C:\ProgramData\svnhost.exe
"C:\ProgramData\svnhost.exe"
5⤵
PID:2076

C:\ProgramData\svnhost.EXE
"C:\ProgramData\svnhost.EXE"
6⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE"
3⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\3I4SeOI5PFPCXXYo\winsers.exe
"C:\Users\Admin\AppData\Local\Temp\3I4SeOI5PFPCXXYo\winsers.exe"
4⤵
PID:2528

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:1564

C:\Users\Admin\Documents\winskype.exe
"C:\Users\Admin\Documents\winskype.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880

C:\Users\Admin\Documents\winskype.EXE
"C:\Users\Admin\Documents\winskype.EXE"
4⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE"
5⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo425\svhtiwes.exe
"C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo425\svhtiwes.exe"
6⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE"
5⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE
"C:\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE"
5⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
"C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE"
5⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE"
5⤵
PID:580

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
"C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE"
5⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
"C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe"
6⤵
PID:2180

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.PDF"
5⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE"
5⤵
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
MD5
b10029d3c6b16936282bb1f4f8f9800f

SHA1
88a072963a5534877816f15b8f6232783f2b22f9

SHA256
53ef9d8eda7fa14ad05cf2f5b48dfdf1d019e6cc16ebbb201c6289ad29a7c5d5

SHA512
4a4e949465816a5f645c8c5f7dc16dcad167f772fa1c1ff37b6b05855989d00203659172e3c8386929bb007bf3c97ca77d9582df10d03b6068d6ba05e6eaa32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
MD5
b10029d3c6b16936282bb1f4f8f9800f

SHA1
88a072963a5534877816f15b8f6232783f2b22f9

SHA256
53ef9d8eda7fa14ad05cf2f5b48dfdf1d019e6cc16ebbb201c6289ad29a7c5d5

SHA512
4a4e949465816a5f645c8c5f7dc16dcad167f772fa1c1ff37b6b05855989d00203659172e3c8386929bb007bf3c97ca77d9582df10d03b6068d6ba05e6eaa32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
MD5
b10029d3c6b16936282bb1f4f8f9800f

SHA1
88a072963a5534877816f15b8f6232783f2b22f9

SHA256
53ef9d8eda7fa14ad05cf2f5b48dfdf1d019e6cc16ebbb201c6289ad29a7c5d5

SHA512
4a4e949465816a5f645c8c5f7dc16dcad167f772fa1c1ff37b6b05855989d00203659172e3c8386929bb007bf3c97ca77d9582df10d03b6068d6ba05e6eaa32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENT.PDF
MD5
d324162cdd908ade76beda48e52b49e7

SHA1
eea257a8baa023e401f84c6ccf861e8b0d382110

SHA256
fbff1a74a1a7788092733f9faea8c1da99237c6747404b4a655fa4038a6b93f3

SHA512
e7d85b020b7056e91f41511d431980d98a5efac2c33c95951ac2c168613756a37ad866d695b6087dc52d39f6875246de6e4b144a94c9628a70344d2e1d4f42ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
MD5
3249d13afb426578deb66edb0e9516af

SHA1
436883ff5b82c44c0cfdd4cfbab1fc6e64e24475

SHA256
b023387ccd7949ae1be2b70ad40aa6f0ec808c169a99d3af39ea0ae90a9459bf

SHA512
d9ed7b5f855a00166bb0cacb9e228f9c7bf0901b45730df28fd3c1e9a9f8bf73963b9a0ad862c26be486b09f5633106a7ff6bb67157e362e853c9551b7af77ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
82de325072053f114abc193a8116020c

SHA1
85420207a4f5ecebf37415f607360ddb5c5fbff0

SHA256
c4ae67662af61712458b1367145c2e30476ec1904cff1915aed83350c2417afc

SHA512
660202a1485b755ac7338d40a6d8e3f88de99119a61648c897440334a9aacbe6184195b274d1f6e59028f44208f14272c05c8735d43b0aa68741889dfd71866c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE
MD5
132164f127b71081ae8d08c255aa1cf0

SHA1
51c49fb79251cedf829bba12935dea2b7703ed82

SHA256
c9f9574e470e0867e1d9a2d80f0828202b74ffff8a8623e6a7324f3e3881a66a

SHA512
05619c7c7612ff91d52abeab35f0c7abc4571865c46f2f0e16c909065cd4406ae27ae1d3e4a47cc7ac39d827a1edf2124b9dcb50f9f6f071988af7884efd2849

Download Submit
C:\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE
MD5
132164f127b71081ae8d08c255aa1cf0

SHA1
51c49fb79251cedf829bba12935dea2b7703ed82

SHA256
c9f9574e470e0867e1d9a2d80f0828202b74ffff8a8623e6a7324f3e3881a66a

SHA512
05619c7c7612ff91d52abeab35f0c7abc4571865c46f2f0e16c909065cd4406ae27ae1d3e4a47cc7ac39d827a1edf2124b9dcb50f9f6f071988af7884efd2849

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
MD5
73c1b3630ed66331026169de872131df

SHA1
180fb9ec970382fb7757032744ac12d6c1d6f197

SHA256
a8cdd854048f3c2b2937f100764a5c52307cec90a62f7b7635b1c69b73a3d7bf

SHA512
28302e7b38758f135d3e049ae695149bfb3d099be509349b37024d8b0888dfed747ca2c3cc81843aeb7b3d4ae4b08a60828c9e1d2183c45d519c60a05b70b501

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
MD5
73c1b3630ed66331026169de872131df

SHA1
180fb9ec970382fb7757032744ac12d6c1d6f197

SHA256
a8cdd854048f3c2b2937f100764a5c52307cec90a62f7b7635b1c69b73a3d7bf

SHA512
28302e7b38758f135d3e049ae695149bfb3d099be509349b37024d8b0888dfed747ca2c3cc81843aeb7b3d4ae4b08a60828c9e1d2183c45d519c60a05b70b501

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
MD5
73c1b3630ed66331026169de872131df

SHA1
180fb9ec970382fb7757032744ac12d6c1d6f197

SHA256
a8cdd854048f3c2b2937f100764a5c52307cec90a62f7b7635b1c69b73a3d7bf

SHA512
28302e7b38758f135d3e049ae695149bfb3d099be509349b37024d8b0888dfed747ca2c3cc81843aeb7b3d4ae4b08a60828c9e1d2183c45d519c60a05b70b501

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE
MD5
ec486a1285fa966264b5e53851d5ca8d

SHA1
f343ecbc4722711c6283f41d073e3496e4c72065

SHA256
123477e7c181f361cd8e79634cb16f5c17097d0135f69b557bec37e20e6a83db

SHA512
923cf391e3a1db6c642645e9f7f28672735aa3bd51c66f14ba4461db9ebf98e4d47ecc9862b96283a6947d82dc7c6f2e3a1568e4823b48bbbb5af5975035fec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE
MD5
ec486a1285fa966264b5e53851d5ca8d

SHA1
f343ecbc4722711c6283f41d073e3496e4c72065

SHA256
123477e7c181f361cd8e79634cb16f5c17097d0135f69b557bec37e20e6a83db

SHA512
923cf391e3a1db6c642645e9f7f28672735aa3bd51c66f14ba4461db9ebf98e4d47ecc9862b96283a6947d82dc7c6f2e3a1568e4823b48bbbb5af5975035fec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
C:\Users\Admin\Documents\rarl.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
C:\Users\Admin\Documents\rarl.exe
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
C:\Users\Admin\Documents\skype64.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\Documents\skype64.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
C:\Users\Admin\Documents\winskype.EXE
MD5
8da1beb8d0bd395cb183333e391269f2

SHA1
c1a7321e85ce8a80febecab35fe3a926bd4478fe

SHA256
31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

SHA512
c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

Download Submit
C:\Users\Admin\Documents\winskype.exe
MD5
22e1a416bda1995c300734c2cf3c28c3

SHA1
86825c7be5038c7ab4faacc9b6701493629aa8e9

SHA256
7d9d27a3a288afc138f09804bfc1bf8ee41b265729bd4061315dd9668d9a50fd

SHA512
821d362871f1652f261b52bd3da7d6dbcaedcae719804c9c3f44d5acc4740d731e055eb94bd155e878d35451117f241335c594c3bd6e91aaff5af7027f6e864b

Download Submit
C:\Users\Admin\Documents\winskype.exe
MD5
8da1beb8d0bd395cb183333e391269f2

SHA1
c1a7321e85ce8a80febecab35fe3a926bd4478fe

SHA256
31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

SHA512
c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
\Users\Admin\AppData\Local\Temp\AMDCPUL.EXE
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
MD5
b10029d3c6b16936282bb1f4f8f9800f

SHA1
88a072963a5534877816f15b8f6232783f2b22f9

SHA256
53ef9d8eda7fa14ad05cf2f5b48dfdf1d019e6cc16ebbb201c6289ad29a7c5d5

SHA512
4a4e949465816a5f645c8c5f7dc16dcad167f772fa1c1ff37b6b05855989d00203659172e3c8386929bb007bf3c97ca77d9582df10d03b6068d6ba05e6eaa32f

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOMLE.EXE
MD5
b10029d3c6b16936282bb1f4f8f9800f

SHA1
88a072963a5534877816f15b8f6232783f2b22f9

SHA256
53ef9d8eda7fa14ad05cf2f5b48dfdf1d019e6cc16ebbb201c6289ad29a7c5d5

SHA512
4a4e949465816a5f645c8c5f7dc16dcad167f772fa1c1ff37b6b05855989d00203659172e3c8386929bb007bf3c97ca77d9582df10d03b6068d6ba05e6eaa32f

Download Submit
\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
\Users\Admin\AppData\Local\Temp\CLwPnD6Wc4q5GVo4\svhtiwes.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
\Users\Admin\AppData\Local\Temp\MONITRGB.EXE
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
bd5ae26b2d69a4729f4713e75dddbc21

SHA1
6c5f51f1f52339d3248e4293523048f11b604562

SHA256
694ba512b6bd3039214e4eecfa5e78536d7b410d3e57d0ab55615076327199f7

SHA512
87b499efde2fd8ab72205466f284edf2ada7afca1f5db3da0b30c36d3d23dd2617d8aede7178713ce4cb7f32278e0c1aee1ec638079a34ae6757b3cdcf919608

Download Submit
\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
cc060b962dfd4639d507285edff6083d

SHA1
ac4bbea4f97ef67ed5ae637e98c0e6442969e96a

SHA256
6e4219108d99c0dfcb7ce54ce7de7a1475543a74310a6e98f1a614919caa537e

SHA512
767b30a9f4783617644c21b5464bb96938e4ceaf22369b0fe283b96e19badcb500af0381b96eafab29e5f07337cf002894db013509e4ea98ac61e0b94c9c2097

Download Submit
\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
\Users\Admin\AppData\Local\Temp\SERVWINLE.EXE
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE
MD5
132164f127b71081ae8d08c255aa1cf0

SHA1
51c49fb79251cedf829bba12935dea2b7703ed82

SHA256
c9f9574e470e0867e1d9a2d80f0828202b74ffff8a8623e6a7324f3e3881a66a

SHA512
05619c7c7612ff91d52abeab35f0c7abc4571865c46f2f0e16c909065cd4406ae27ae1d3e4a47cc7ac39d827a1edf2124b9dcb50f9f6f071988af7884efd2849

Download Submit
\Users\Admin\AppData\Local\Temp\TVLSWPLE.EXE
MD5
132164f127b71081ae8d08c255aa1cf0

SHA1
51c49fb79251cedf829bba12935dea2b7703ed82

SHA256
c9f9574e470e0867e1d9a2d80f0828202b74ffff8a8623e6a7324f3e3881a66a

SHA512
05619c7c7612ff91d52abeab35f0c7abc4571865c46f2f0e16c909065cd4406ae27ae1d3e4a47cc7ac39d827a1edf2124b9dcb50f9f6f071988af7884efd2849

Download Submit
\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
MD5
73c1b3630ed66331026169de872131df

SHA1
180fb9ec970382fb7757032744ac12d6c1d6f197

SHA256
a8cdd854048f3c2b2937f100764a5c52307cec90a62f7b7635b1c69b73a3d7bf

SHA512
28302e7b38758f135d3e049ae695149bfb3d099be509349b37024d8b0888dfed747ca2c3cc81843aeb7b3d4ae4b08a60828c9e1d2183c45d519c60a05b70b501

Download Submit
\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
MD5
73c1b3630ed66331026169de872131df

SHA1
180fb9ec970382fb7757032744ac12d6c1d6f197

SHA256
a8cdd854048f3c2b2937f100764a5c52307cec90a62f7b7635b1c69b73a3d7bf

SHA512
28302e7b38758f135d3e049ae695149bfb3d099be509349b37024d8b0888dfed747ca2c3cc81843aeb7b3d4ae4b08a60828c9e1d2183c45d519c60a05b70b501

Download Submit
\Users\Admin\AppData\Local\Temp\VIDEOGPU.EXE
MD5
73c1b3630ed66331026169de872131df

SHA1
180fb9ec970382fb7757032744ac12d6c1d6f197

SHA256
a8cdd854048f3c2b2937f100764a5c52307cec90a62f7b7635b1c69b73a3d7bf

SHA512
28302e7b38758f135d3e049ae695149bfb3d099be509349b37024d8b0888dfed747ca2c3cc81843aeb7b3d4ae4b08a60828c9e1d2183c45d519c60a05b70b501

Download Submit
\Users\Admin\AppData\Local\Temp\WINDRVAMS.EXE
MD5
ec486a1285fa966264b5e53851d5ca8d

SHA1
f343ecbc4722711c6283f41d073e3496e4c72065

SHA256
123477e7c181f361cd8e79634cb16f5c17097d0135f69b557bec37e20e6a83db

SHA512
923cf391e3a1db6c642645e9f7f28672735aa3bd51c66f14ba4461db9ebf98e4d47ecc9862b96283a6947d82dc7c6f2e3a1568e4823b48bbbb5af5975035fec7

Download Submit
\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
\Users\Admin\AppData\Local\Temp\z2KQhhNiHkHL54H6\chromes.exe
MD5
23b03512461bacd660b33b44acd06708

SHA1
9b4f74b3364d51605246e87ebd819821457f16c1

SHA256
51a99b258b74bc50ae1319d2d737263128c08ec424b141a1fcf55daab285c45b

SHA512
2cd667c7115dce4b73b1d984b1ea44ff02b08a85bc9b74a37e6a4f6dff8c1812f44ae82fa37d0ce4eb44b0c10e14a2ddb79cd5f59cde4007a8d082345118df0b

Download Submit
\Users\Admin\Documents\rarl.exe
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
\Users\Admin\Documents\rarl.exe
MD5
8e2d21d8512656045f68382b690fca0e

SHA1
fc26e4dc0f4781e0e56d7a9780a4d3d871f20ddf

SHA256
86d81005d981ed146b6a9738becfe12ffd3b8b0bf132453a7d49dd246ff3793d

SHA512
c425514efd91edb116a465ab17223541b17f1e8cd9557f757c58f2d8112873fefb60aa1067ea3fb614be240dffac456b754fdc235ffb96d5346f2c4560ca96bc

Download Submit
\Users\Admin\Documents\skype64.exe
MD5
67f67264529f0f8088a75f9cf1b4c31c

SHA1
e6c039ea26107c18d9ba18ce59b8d021d2f35e2e

SHA256
834e56cc2a5e467f90212ad4a1b0102274ff9acdfc82357b37db2526708bfbbe

SHA512
9585b25b2aa8dde8536c44f46d3b74cee3c84f2a3fe86ab59a6b295230dfce9aa0e424383f7c1594bd508a82365ed230e003f27d14c6d60cc7db750710917f06

Download Submit
\Users\Admin\Documents\winskype.exe
MD5
8da1beb8d0bd395cb183333e391269f2

SHA1
c1a7321e85ce8a80febecab35fe3a926bd4478fe

SHA256
31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

SHA512
c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

Download Submit
\Users\Admin\Documents\winskype.exe
MD5
8da1beb8d0bd395cb183333e391269f2

SHA1
c1a7321e85ce8a80febecab35fe3a926bd4478fe

SHA256
31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

SHA512
c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

Download Submit
memory/240-156-0x0000000000000000-mapping.dmp

Download
memory/240-167-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/484-160-0x0000000000000000-mapping.dmp

Download
memory/532-93-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/532-88-0x0000000000000000-mapping.dmp

Download
memory/580-25-0x0000000000000000-mapping.dmp

Download
memory/580-168-0x0000000000000000-mapping.dmp

Download
memory/584-141-0x0000000000000000-mapping.dmp

Download
memory/584-152-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/880-59-0x0000000000000000-mapping.dmp

Download
memory/924-33-0x0000000000000000-mapping.dmp

Download
memory/972-121-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/972-112-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/972-115-0x0000000000405CE2-mapping.dmp

Download
memory/1044-166-0x0000000000000000-mapping.dmp

Download
memory/1224-142-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/1224-146-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1224-130-0x000000000048F888-mapping.dmp

Download
memory/1244-137-0x0000000000000000-mapping.dmp

Download
memory/1280-46-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1280-20-0x0000000000000000-mapping.dmp

Download
memory/1332-29-0x0000000000000000-mapping.dmp

Download
memory/1424-95-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1424-105-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1424-96-0x000000000046A08C-mapping.dmp

Download
memory/1440-5-0x000000000048F888-mapping.dmp

Download
memory/1440-4-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/1440-7-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/1440-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1440-6-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1564-51-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1564-50-0x0000000000000000-mapping.dmp

Download
memory/1596-81-0x0000000000000000-mapping.dmp

Download
memory/1612-106-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1612-102-0x0000000000000000-mapping.dmp

Download
memory/1624-43-0x0000000000000000-mapping.dmp

Download
memory/1624-53-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1648-44-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1648-10-0x0000000000000000-mapping.dmp

Download
memory/1652-86-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1652-76-0x00000000004BD800-mapping.dmp

Download
memory/1652-74-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1652-84-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1656-69-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/1656-67-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1656-68-0x0000000004B55000-0x0000000004B66000-memory.dmp

Filesize
68KB

Download
memory/1656-35-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-13-0x0000000000000000-mapping.dmp

Download
memory/1656-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1656-129-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1700-153-0x0000000000000000-mapping.dmp

Download
memory/1784-165-0x0000000000000000-mapping.dmp

Download
memory/1828-118-0x00000000004B57C0-mapping.dmp

Download
memory/1828-114-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1828-122-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1828-127-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1832-17-0x0000000000000000-mapping.dmp

Download
memory/1900-176-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1900-145-0x0000000000000000-mapping.dmp

Download
memory/1900-154-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-124-0x0000000000000000-mapping.dmp

Download
memory/2068-177-0x0000000000000000-mapping.dmp

Download
memory/2076-178-0x0000000000000000-mapping.dmp

Download
memory/2092-182-0x00000000004BD800-mapping.dmp

Download
memory/2136-184-0x0000000000000000-mapping.dmp

Download
memory/2180-189-0x000000000046A08C-mapping.dmp

Download
memory/2288-198-0x00000000004B57C0-mapping.dmp

Download
memory/2320-202-0x0000000000405CE2-mapping.dmp

Download
memory/2364-204-0x0000000000000000-mapping.dmp

Download
memory/2364-205-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2432-210-0x00000000004BD800-mapping.dmp

Download
memory/2456-213-0x000000000046A08C-mapping.dmp

Download
memory/2528-216-0x0000000000405CE2-mapping.dmp

Download
memory/2528-215-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download