asyncrat | 5ca12788e41f318c0ce21ad6a83020fe303f9219811451651335e51e8b891b63

Analysis

max time kernel
80s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 11:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Dogecoin-Miner2022/Dogecoin-Miner2022l.exe
Size

2.1MB
MD5

36620d7c222248584634f10481f3be35
SHA1

2f65c68e266d55fe334f2bb3fcd8f824b090cf5f
SHA256

ff2bc238f2ce0d5c0b08af957f4098b63f3c402edc3694370950805780647888
SHA512

8d03f58e08c3c6553551e0d7ad7ef8ddc591c0f174d3c99cfc757e466038a4d1829c3643605ec64fbc7f65385036030a704b9f0835ab8bd58f9f3d92ea75928c
SSDEEP

49152:MeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:J1UoRtpJg/lx7xY9phBF1ptC2ekM

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-01 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-01

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-U4BEN1Z

Attributes

gencode
8sAQdbHcGDto
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5868-240-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 18 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3744-224-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3444-223-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3744-230-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3444-229-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3444-237-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3744-238-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3220-242-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3220-247-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3220-261-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1268-291-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3816-292-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4584-293-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1268-294-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3816-297-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4584-298-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3220-302-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3444-310-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3744-313-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

DRVHDD.EXEInstallUtil.exeDRVHDD.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 24 IoCs

Processes:

ADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEWINLOGONW.EXEUSBDRVI.EXEWINLOGONW.EXEWINCPU.EXEWINPLAYEER.EXEWINCPU.EXEUSBDRVI.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEwintsklt.exe

pid	process
4728	ADOBESTV.EXE
5076	DRVHDD.EXE
3592	USBDRVI.EXE
4904	WINCPU.EXE
2132	WINLOGONW.EXE
1320	WINPLAYEER.EXE
1296	ADOBESTV.EXE
728	DRVHDD.EXE
3728	USBDRVI.EXE
1464	WINCPU.EXE
4800	WINLOGONW.EXE
1696	WINPLAYEER.EXE
2684	DRVHDD.EXE
4456	WINLOGONW.EXE
3444	USBDRVI.EXE
3744	WINLOGONW.EXE
5868	WINCPU.EXE
3220	WINPLAYEER.EXE
3860	WINCPU.EXE
1268	USBDRVI.EXE
4568	DRVHDD.EXE
3816	WINPLAYEER.EXE
4584	WINLOGONW.EXE
1272	wintsklt.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3640-146-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3640-148-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3640-149-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3640-162-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3640-202-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/2684-204-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2684-206-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2684-207-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2684-208-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2684-211-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5624-213-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5624-215-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5624-216-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5624-233-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4568-279-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4084-290-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5624-309-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/2684-312-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3640-311-0x0000000000400000-0x00000000007B8000-memory.dmp	upx

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Dogecoin-Miner2022l.exeUSBDRVI.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEwintsklt.exeADOBESTV.EXEDRVHDD.EXEWINCPU.EXEADOBESTV.EXEWINPLAYEER.EXEWINLOGONW.EXEUSBDRVI.EXEWINCPU.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Dogecoin-Miner2022l.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINCPU.EXE

Drops startup file 2 IoCs

Processes:

WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINPLAYEER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE

Suspicious use of SetThreadContext 13 IoCs

Processes:

Dogecoin-Miner2022l.exeDRVHDD.EXEADOBESTV.EXEUSBDRVI.EXEWINLOGONW.EXEWINCPU.EXEWINPLAYEER.EXEWINCPU.EXEUSBDRVI.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEADOBESTV.EXE

description	pid	process	target process
PID 4768 set thread context of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 5076 set thread context of 2684	5076	DRVHDD.EXE	DRVHDD.EXE
PID 4728 set thread context of 5624	4728	ADOBESTV.EXE	InstallUtil.exe
PID 3592 set thread context of 3444	3592	USBDRVI.EXE	USBDRVI.EXE
PID 2132 set thread context of 3744	2132	WINLOGONW.EXE	WINLOGONW.EXE
PID 4904 set thread context of 5868	4904	WINCPU.EXE	WINCPU.EXE
PID 1320 set thread context of 3220	1320	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 1464 set thread context of 3860	1464	WINCPU.EXE	WINCPU.EXE
PID 3728 set thread context of 1268	3728	USBDRVI.EXE	USBDRVI.EXE
PID 728 set thread context of 4568	728	DRVHDD.EXE	DRVHDD.EXE
PID 1696 set thread context of 3816	1696	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 4800 set thread context of 4584	4800	WINLOGONW.EXE	WINLOGONW.EXE
PID 1296 set thread context of 4084	1296	ADOBESTV.EXE	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

NTFS ADS 1 IoCs

Processes:

WINPLAYEER.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeDogecoin-Miner2022l.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDRVHDD.EXEADOBESTV.EXEWINLOGONW.EXEUSBDRVI.EXEWINCPU.EXEWINPLAYEER.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXE

pid	process
4792	powershell.exe
4792	powershell.exe
4768	Dogecoin-Miner2022l.exe
4768	Dogecoin-Miner2022l.exe
3996	powershell.exe
3996	powershell.exe
4624	powershell.exe
4624	powershell.exe
4824	powershell.exe
4824	powershell.exe
3416	powershell.exe
3416	powershell.exe
3472	powershell.exe
3472	powershell.exe
212	powershell.exe
212	powershell.exe
4376	powershell.exe
4376	powershell.exe
4408	powershell.exe
4408	powershell.exe
4268	powershell.exe
4268	powershell.exe
2588	powershell.exe
2588	powershell.exe
5132	powershell.exe
5132	powershell.exe
5252	powershell.exe
5252	powershell.exe
3996	powershell.exe
3996	powershell.exe
4624	powershell.exe
4624	powershell.exe
4824	powershell.exe
3416	powershell.exe
3472	powershell.exe
212	powershell.exe
4408	powershell.exe
4376	powershell.exe
5132	powershell.exe
4268	powershell.exe
2588	powershell.exe
5252	powershell.exe
5076	DRVHDD.EXE
5076	DRVHDD.EXE
4728	ADOBESTV.EXE
4728	ADOBESTV.EXE
2132	WINLOGONW.EXE
2132	WINLOGONW.EXE
2132	WINLOGONW.EXE
2132	WINLOGONW.EXE
3592	USBDRVI.EXE
3592	USBDRVI.EXE
2132	WINLOGONW.EXE
2132	WINLOGONW.EXE
4904	WINCPU.EXE
4904	WINCPU.EXE
1320	WINPLAYEER.EXE
1320	WINPLAYEER.EXE
1464	WINCPU.EXE
1464	WINCPU.EXE
3728	USBDRVI.EXE
3728	USBDRVI.EXE
1696	WINPLAYEER.EXE
1696	WINPLAYEER.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDRVHDD.EXEDRVHDD.EXEInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	3640	InstallUtil.exe
Token: SeSecurityPrivilege	3640	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	3640	InstallUtil.exe
Token: SeLoadDriverPrivilege	3640	InstallUtil.exe
Token: SeSystemProfilePrivilege	3640	InstallUtil.exe
Token: SeSystemtimePrivilege	3640	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	3640	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3640	InstallUtil.exe
Token: SeCreatePagefilePrivilege	3640	InstallUtil.exe
Token: SeBackupPrivilege	3640	InstallUtil.exe
Token: SeRestorePrivilege	3640	InstallUtil.exe
Token: SeShutdownPrivilege	3640	InstallUtil.exe
Token: SeDebugPrivilege	3640	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	3640	InstallUtil.exe
Token: SeChangeNotifyPrivilege	3640	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	3640	InstallUtil.exe
Token: SeUndockPrivilege	3640	InstallUtil.exe
Token: SeManageVolumePrivilege	3640	InstallUtil.exe
Token: SeImpersonatePrivilege	3640	InstallUtil.exe
Token: SeCreateGlobalPrivilege	3640	InstallUtil.exe
Token: 33	3640	InstallUtil.exe
Token: 34	3640	InstallUtil.exe
Token: 35	3640	InstallUtil.exe
Token: 36	3640	InstallUtil.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	5076	DRVHDD.EXE
Token: SeIncreaseQuotaPrivilege	2684	DRVHDD.EXE
Token: SeSecurityPrivilege	2684	DRVHDD.EXE
Token: SeTakeOwnershipPrivilege	2684	DRVHDD.EXE
Token: SeLoadDriverPrivilege	2684	DRVHDD.EXE
Token: SeSystemProfilePrivilege	2684	DRVHDD.EXE
Token: SeSystemtimePrivilege	2684	DRVHDD.EXE
Token: SeProfSingleProcessPrivilege	2684	DRVHDD.EXE
Token: SeIncBasePriorityPrivilege	2684	DRVHDD.EXE
Token: SeCreatePagefilePrivilege	2684	DRVHDD.EXE
Token: SeBackupPrivilege	2684	DRVHDD.EXE
Token: SeRestorePrivilege	2684	DRVHDD.EXE
Token: SeShutdownPrivilege	2684	DRVHDD.EXE
Token: SeDebugPrivilege	2684	DRVHDD.EXE
Token: SeSystemEnvironmentPrivilege	2684	DRVHDD.EXE
Token: SeChangeNotifyPrivilege	2684	DRVHDD.EXE
Token: SeRemoteShutdownPrivilege	2684	DRVHDD.EXE
Token: SeUndockPrivilege	2684	DRVHDD.EXE
Token: SeManageVolumePrivilege	2684	DRVHDD.EXE
Token: SeImpersonatePrivilege	2684	DRVHDD.EXE
Token: SeCreateGlobalPrivilege	2684	DRVHDD.EXE
Token: 33	2684	DRVHDD.EXE
Token: 34	2684	DRVHDD.EXE
Token: 35	2684	DRVHDD.EXE
Token: 36	2684	DRVHDD.EXE
Token: SeShutdownPrivilege	5624	InstallUtil.exe
Token: SeDebugPrivilege	5624	InstallUtil.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

InstallUtil.exeDRVHDD.EXEInstallUtil.exeUSBDRVI.EXELogonUI.exe

pid process

3640 InstallUtil.exe
2684 DRVHDD.EXE
5624 InstallUtil.exe
3444 USBDRVI.EXE
1076 LogonUI.exe

pid	process
3640	InstallUtil.exe
2684	DRVHDD.EXE
5624	InstallUtil.exe
3444	USBDRVI.EXE
1076	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dogecoin-Miner2022l.exeInstallUtil.exeADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINLOGONW.EXEWINCPU.EXEWINPLAYEER.EXE

description	pid	process	target process
PID 4768 wrote to memory of 4792	4768	Dogecoin-Miner2022l.exe	powershell.exe
PID 4768 wrote to memory of 4792	4768	Dogecoin-Miner2022l.exe	powershell.exe
PID 4768 wrote to memory of 4792	4768	Dogecoin-Miner2022l.exe	powershell.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 4768 wrote to memory of 3640	4768	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 3640 wrote to memory of 4728	3640	InstallUtil.exe	ADOBESTV.EXE
PID 3640 wrote to memory of 4728	3640	InstallUtil.exe	ADOBESTV.EXE
PID 3640 wrote to memory of 4728	3640	InstallUtil.exe	ADOBESTV.EXE
PID 3640 wrote to memory of 5076	3640	InstallUtil.exe	DRVHDD.EXE
PID 3640 wrote to memory of 5076	3640	InstallUtil.exe	DRVHDD.EXE
PID 3640 wrote to memory of 5076	3640	InstallUtil.exe	DRVHDD.EXE
PID 3640 wrote to memory of 3592	3640	InstallUtil.exe	USBDRVI.EXE
PID 3640 wrote to memory of 3592	3640	InstallUtil.exe	USBDRVI.EXE
PID 3640 wrote to memory of 3592	3640	InstallUtil.exe	USBDRVI.EXE
PID 3640 wrote to memory of 4904	3640	InstallUtil.exe	WINCPU.EXE
PID 3640 wrote to memory of 4904	3640	InstallUtil.exe	WINCPU.EXE
PID 3640 wrote to memory of 4904	3640	InstallUtil.exe	WINCPU.EXE
PID 3640 wrote to memory of 2132	3640	InstallUtil.exe	WINLOGONW.EXE
PID 3640 wrote to memory of 2132	3640	InstallUtil.exe	WINLOGONW.EXE
PID 3640 wrote to memory of 2132	3640	InstallUtil.exe	WINLOGONW.EXE
PID 3640 wrote to memory of 1320	3640	InstallUtil.exe	WINPLAYEER.EXE
PID 3640 wrote to memory of 1320	3640	InstallUtil.exe	WINPLAYEER.EXE
PID 3640 wrote to memory of 1320	3640	InstallUtil.exe	WINPLAYEER.EXE
PID 3640 wrote to memory of 1296	3640	InstallUtil.exe	ADOBESTV.EXE
PID 3640 wrote to memory of 1296	3640	InstallUtil.exe	ADOBESTV.EXE
PID 3640 wrote to memory of 1296	3640	InstallUtil.exe	ADOBESTV.EXE
PID 3640 wrote to memory of 728	3640	InstallUtil.exe	DRVHDD.EXE
PID 3640 wrote to memory of 728	3640	InstallUtil.exe	DRVHDD.EXE
PID 3640 wrote to memory of 728	3640	InstallUtil.exe	DRVHDD.EXE
PID 3640 wrote to memory of 3728	3640	InstallUtil.exe	USBDRVI.EXE
PID 3640 wrote to memory of 3728	3640	InstallUtil.exe	USBDRVI.EXE
PID 3640 wrote to memory of 3728	3640	InstallUtil.exe	USBDRVI.EXE
PID 3640 wrote to memory of 1464	3640	InstallUtil.exe	WINCPU.EXE
PID 3640 wrote to memory of 1464	3640	InstallUtil.exe	WINCPU.EXE
PID 3640 wrote to memory of 1464	3640	InstallUtil.exe	WINCPU.EXE
PID 4728 wrote to memory of 4624	4728	ADOBESTV.EXE	powershell.exe
PID 4728 wrote to memory of 4624	4728	ADOBESTV.EXE	powershell.exe
PID 4728 wrote to memory of 4624	4728	ADOBESTV.EXE	powershell.exe
PID 3640 wrote to memory of 4800	3640	InstallUtil.exe	WINLOGONW.EXE
PID 3640 wrote to memory of 4800	3640	InstallUtil.exe	WINLOGONW.EXE
PID 3640 wrote to memory of 4800	3640	InstallUtil.exe	WINLOGONW.EXE
PID 5076 wrote to memory of 3996	5076	DRVHDD.EXE	powershell.exe
PID 5076 wrote to memory of 3996	5076	DRVHDD.EXE	powershell.exe
PID 5076 wrote to memory of 3996	5076	DRVHDD.EXE	powershell.exe
PID 3640 wrote to memory of 1696	3640	InstallUtil.exe	WINPLAYEER.EXE
PID 3640 wrote to memory of 1696	3640	InstallUtil.exe	WINPLAYEER.EXE
PID 3640 wrote to memory of 1696	3640	InstallUtil.exe	WINPLAYEER.EXE
PID 3592 wrote to memory of 4824	3592	USBDRVI.EXE	powershell.exe
PID 3592 wrote to memory of 4824	3592	USBDRVI.EXE	powershell.exe
PID 3592 wrote to memory of 4824	3592	USBDRVI.EXE	powershell.exe
PID 2132 wrote to memory of 3416	2132	WINLOGONW.EXE	powershell.exe
PID 2132 wrote to memory of 3416	2132	WINLOGONW.EXE	powershell.exe
PID 2132 wrote to memory of 3416	2132	WINLOGONW.EXE	powershell.exe
PID 4904 wrote to memory of 3472	4904	WINCPU.EXE	powershell.exe
PID 4904 wrote to memory of 3472	4904	WINCPU.EXE	powershell.exe
PID 4904 wrote to memory of 3472	4904	WINCPU.EXE	powershell.exe
PID 1320 wrote to memory of 212	1320	WINPLAYEER.EXE	powershell.exe
PID 1320 wrote to memory of 212	1320	WINPLAYEER.EXE	powershell.exe
PID 1320 wrote to memory of 212	1320	WINPLAYEER.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022\Dogecoin-Miner2022l.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022\Dogecoin-Miner2022l.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5624

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:4456

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:3220

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4568

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
4⤵
- Executes dropped EXE
PID:5868

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
4⤵
- Executes dropped EXE
PID:1268

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
4⤵
- Executes dropped EXE
PID:3816

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
4⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESTV.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVHDD.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USBDRVI.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPU.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINLOGONW.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINPLAYEER.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
c20d5f4af4bc0cd653422689c8fd0c28

SHA1
8dd35cca579e0a90fe6b63ef92baac72339205a4

SHA256
41429be0d090164177059e4c6c1d6717696e206ed02c5562f60efd3ca86703e5

SHA512
a1c371978b811bb47dcc4efc00643aad158b559ce55eec8e01dd82a9d058c9fd295115f7417db25145fe920bfb4e3f9328be6876ea542c2314f42122ed132ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
48b5c654cf7e423d59f6e3fff07c352c

SHA1
10c6c4961a487ff6521c0e6ba68f11982a06570a

SHA256
3902192c3a03993c8277fd6dd4d75d82890ed72294e33a14986276262dd90a85

SHA512
d4cb6610a9a82705bec94867d47df5882093b4d1f09fa9293169236df6068e5633fd800ced8528070474c1603b87e2e70bdb3913c060bb58a7a710f77b6b6cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
08e68394f958e54b870e3274d6cdc943

SHA1
9335e5f7ee21780c8ae82616ef9e43c6d3a75466

SHA256
9927962602fa04b3eb48546b3cfe93e89139651d9ce184c7f26186e2864ae551

SHA512
d5860b2690456c9a808652d356339ef8100456a6870a4301a93fb9655aaad93ab3aadff9692f3bd754a6366032fcf05d754b2aecb5a872f16ed24c7ddc0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
caf186bc6aed2d0afbbe1badd09b5d22

SHA1
9d86d42c556c194a2a21b4b13141cadd1c3c9b34

SHA256
7571a6679615101f4c7db993ed6bdbb0ec208e09cf40f60adbae5db8024d7028

SHA512
5d25ee684f092bce1b354ba5862ca25781354405d86f489645d88d8023f8428cac1f73650528e545d1c87f280c8f77da08f54fbcfc330d1ecd15bd338ca9f191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
b20735d4057654660ee7f9774c6979a2

SHA1
f2b5ad6ca52419d71b29b9f8a8491083221c4c63

SHA256
69ebbaa0870556e4861ab86cf8b17d49ce127ccc3396526e384f5b287eaaa54f

SHA512
a4a219224e1e98281af9fd71d9ab90a2a85cf3d2752194ddeef1a776cb200cfdabbf6cf6fa84f66166a2e37d0df4a9ac6d012a0a450fb216e9b4b4208f28ea6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
d70f29aba1bff82105e18fbc7a020cf7

SHA1
70884c163302ce265e81e98f3657a10d838f57db

SHA256
95ef83de0354d9086a3ec73bb67d759c25026655f67e7e5ae11d5be1e7729498

SHA512
a963c071b1a952cb76994e135fed0f2f8e5e09030e4bd7b7de81a553b443c6460e10dc4da4190e76784c5f1ed593aa6fd73be169b8f2f776576478850be2eeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7e0380e89d166e29bac45661cf9ca225

SHA1
36d0814baa2db17a943648410cae31c698d96566

SHA256
2edb8bc4ac07776955b64341076e642af2fec7d8ef08adb27a33097d1d07321d

SHA512
9a6d3e59041b532b74999396d0992943968bd41923154976f4f15861a8362b733425b825a9157931682351e6fbab7ed8b813d1cea1b7b3ce7d103c1371c932c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e2c1fc78df46e615b6a100985ea1f233

SHA1
4a3934ed91b881586c158f18774b3efb208acfd3

SHA256
113a0b2c92c209a396835aecfe7e93fa235c153c291fe7e8a6b8196235367f80

SHA512
668d2af642e25d52ebd676209c51bed1873fd16395634ded78087443a57b596825e1fd6a7a6b22e4a2a7905155da8d08f7fcd1cdcb70929d65a27c30ebd8b4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e2c1fc78df46e615b6a100985ea1f233

SHA1
4a3934ed91b881586c158f18774b3efb208acfd3

SHA256
113a0b2c92c209a396835aecfe7e93fa235c153c291fe7e8a6b8196235367f80

SHA512
668d2af642e25d52ebd676209c51bed1873fd16395634ded78087443a57b596825e1fd6a7a6b22e4a2a7905155da8d08f7fcd1cdcb70929d65a27c30ebd8b4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
3a8882cad55fa99388f10a2125d82839

SHA1
dabc1d61c7feeffe33fa8ad461cc11ef3b006ecc

SHA256
ef0a9af8eb8f81c531c480679f3b74a66eeb136acc1f7624786f77174fc04e07

SHA512
d5aba385332509e211f7601ea026e414b26980aa198ccc0f7c766c094f12b7279530b8360c1747dfe4b7f830ca7add1c46e6cbeee718956faac934d5e4698bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
3a8882cad55fa99388f10a2125d82839

SHA1
dabc1d61c7feeffe33fa8ad461cc11ef3b006ecc

SHA256
ef0a9af8eb8f81c531c480679f3b74a66eeb136acc1f7624786f77174fc04e07

SHA512
d5aba385332509e211f7601ea026e414b26980aa198ccc0f7c766c094f12b7279530b8360c1747dfe4b7f830ca7add1c46e6cbeee718956faac934d5e4698bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
3a8882cad55fa99388f10a2125d82839

SHA1
dabc1d61c7feeffe33fa8ad461cc11ef3b006ecc

SHA256
ef0a9af8eb8f81c531c480679f3b74a66eeb136acc1f7624786f77174fc04e07

SHA512
d5aba385332509e211f7601ea026e414b26980aa198ccc0f7c766c094f12b7279530b8360c1747dfe4b7f830ca7add1c46e6cbeee718956faac934d5e4698bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/212-193-0x0000000000000000-mapping.dmp

Download
memory/728-177-0x0000000000000000-mapping.dmp

Download
memory/1268-291-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1268-255-0x0000000000000000-mapping.dmp

Download
memory/1268-294-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1272-299-0x0000000000000000-mapping.dmp

Download
memory/1296-175-0x0000000000000000-mapping.dmp

Download
memory/1320-170-0x0000000000000000-mapping.dmp

Download
memory/1320-174-0x00000000005F0000-0x0000000000666000-memory.dmp

Filesize
472KB

Download
memory/1464-180-0x0000000000000000-mapping.dmp

Download
memory/1696-186-0x0000000000000000-mapping.dmp

Download
memory/2132-166-0x0000000000000000-mapping.dmp

Download
memory/2132-171-0x0000000000790000-0x0000000000802000-memory.dmp

Filesize
456KB

Download
memory/2572-295-0x0000000000000000-mapping.dmp

Download
memory/2572-304-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2588-197-0x0000000000000000-mapping.dmp

Download
memory/2684-211-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-204-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-203-0x0000000000000000-mapping.dmp

Download
memory/2684-206-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-207-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-208-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-312-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3220-235-0x0000000000000000-mapping.dmp

Download
memory/3220-242-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3220-261-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3220-247-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3220-302-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3416-190-0x0000000000000000-mapping.dmp

Download
memory/3444-307-0x000000000AC30000-0x000000000ADD0000-memory.dmp

Filesize
1.6MB

Download
memory/3444-223-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3444-229-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3444-310-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3444-220-0x0000000000000000-mapping.dmp

Download
memory/3444-237-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3472-191-0x0000000000000000-mapping.dmp

Download
memory/3592-163-0x0000000000940000-0x00000000009B4000-memory.dmp

Filesize
464KB

Download
memory/3592-157-0x0000000000000000-mapping.dmp

Download
memory/3640-162-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3640-311-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3640-149-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3640-148-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3640-146-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3640-145-0x0000000000000000-mapping.dmp

Download
memory/3640-202-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3644-263-0x0000000000000000-mapping.dmp

Download
memory/3728-178-0x0000000000000000-mapping.dmp

Download
memory/3744-230-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3744-238-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3744-313-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3744-222-0x0000000000000000-mapping.dmp

Download
memory/3744-224-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3816-292-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3816-259-0x0000000000000000-mapping.dmp

Download
memory/3816-297-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3860-244-0x0000000000000000-mapping.dmp

Download
memory/3892-303-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/3892-296-0x0000000000000000-mapping.dmp

Download
memory/3996-185-0x0000000000000000-mapping.dmp

Download
memory/4084-276-0x0000000000000000-mapping.dmp

Download
memory/4084-290-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4268-195-0x0000000000000000-mapping.dmp

Download
memory/4376-194-0x0000000000000000-mapping.dmp

Download
memory/4408-196-0x0000000000000000-mapping.dmp

Download
memory/4456-219-0x0000000000000000-mapping.dmp

Download
memory/4568-264-0x0000000000000000-mapping.dmp

Download
memory/4568-279-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4584-298-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4584-270-0x0000000000000000-mapping.dmp

Download
memory/4584-293-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4624-182-0x0000000000000000-mapping.dmp

Download
memory/4728-156-0x00000000009C0000-0x0000000000A7A000-memory.dmp

Filesize
744KB

Download
memory/4728-150-0x0000000000000000-mapping.dmp

Download
memory/4768-132-0x0000000000D10000-0x0000000000F34000-memory.dmp

Filesize
2.1MB

Download
memory/4768-133-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4768-134-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4768-135-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/4792-137-0x00000000025E0000-0x0000000002616000-memory.dmp

Filesize
216KB

Download
memory/4792-142-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4792-141-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4792-144-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/4792-140-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/4792-143-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/4792-139-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/4792-138-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/4792-136-0x0000000000000000-mapping.dmp

Download
memory/4800-183-0x0000000000000000-mapping.dmp

Download
memory/4824-189-0x0000000000000000-mapping.dmp

Download
memory/4856-305-0x0000000000000000-mapping.dmp

Download
memory/4904-167-0x00000000004E0000-0x0000000000548000-memory.dmp

Filesize
416KB

Download
memory/4904-161-0x0000000000000000-mapping.dmp

Download
memory/5076-158-0x0000000000C70000-0x0000000000D10000-memory.dmp

Filesize
640KB

Download
memory/5076-153-0x0000000000000000-mapping.dmp

Download
memory/5132-198-0x0000000000000000-mapping.dmp

Download
memory/5252-199-0x0000000000000000-mapping.dmp

Download
memory/5624-236-0x000000006F840000-0x000000006F879000-memory.dmp

Filesize
228KB

Download
memory/5624-233-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5624-213-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5624-309-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5624-212-0x0000000000000000-mapping.dmp

Download
memory/5624-215-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5624-216-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5868-232-0x0000000000000000-mapping.dmp

Download
memory/5868-308-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/5868-240-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads