asyncrat | b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2023 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Size

2.9MB
MD5

62a0ea786f2524412ffd7c6ea4ce87a1
SHA1

7339871230a69684d9bf81b7e2f508b49abae5bc
SHA256

b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e
SHA512

a0e8f9445e35c3740dea160637ecc2169366d7d54e7f536238df61155a37bcd85eb6b242122dbe16ad3b40321a532d70d516e05a95e7a474c547ef37e4c77920
SSDEEP

49152:6QDgok30CdLE6uLu0n9yIPTRDLu0no6gCWELu0nbQCQwwULu0nXM+kYLu0n:6QU/hL4LP1TRDLPo6oELPb/wULPXFLP

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3520-234-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 20 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/6044-196-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6036-203-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6036-206-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6036-209-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6044-207-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6044-202-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3884-236-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3884-252-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2308-249-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3884-267-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1724-268-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4272-269-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1724-271-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2308-270-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4272-272-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6036-277-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6044-285-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3884-287-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1904-301-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1904-305-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exeDRVHDD.EXEDRVHDD.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 28 IoCs

Processes:

DRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEUSBDRVI.EXEWINPLAYEER.EXEUSBDRVI.EXEDRVHDD.EXEWINPLAYEER.EXEDRVHDD.EXEWINCPU.EXEWINLOGONW.EXEUSBDRVI.EXEWINLOGONW.EXEWINCPU.EXEWINCPU.EXEWINCPU.EXEwintsklt.exewintskl.exewintsklt.exewintskl.exewintskl.exe

pid	process
3268	DRVHDD.EXE
792	USBDRVI.EXE
3812	WINCPU.EXE
3816	WINLOGONW.EXE
4236	WINPLAYEER.EXE
976	DRVHDD.EXE
3556	USBDRVI.EXE
4924	WINCPU.EXE
3452	WINLOGONW.EXE
3416	WINPLAYEER.EXE
6044	USBDRVI.EXE
6036	WINPLAYEER.EXE
6056	USBDRVI.EXE
6088	DRVHDD.EXE
2308	WINPLAYEER.EXE
3448	DRVHDD.EXE
3520	WINCPU.EXE
3884	WINLOGONW.EXE
1724	USBDRVI.EXE
4272	WINLOGONW.EXE
2880	WINCPU.EXE
5836	WINCPU.EXE
5840	WINCPU.EXE
616	wintsklt.exe
5152	wintskl.exe
1904	wintsklt.exe
6076	wintskl.exe
3092	wintskl.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/6088-224-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6088-226-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6088-222-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6088-217-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6088-239-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3448-259-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6088-286-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINPLAYEER.EXEWINCPU.EXEWINPLAYEER.EXEWINLOGONW.EXEDRVHDD.EXEDRVHDD.EXEwintskl.exeb77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exeUSBDRVI.EXEWINLOGONW.EXEWINCPU.EXEUSBDRVI.EXEwintsklt.exeWINCPU.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINCPU.EXE

Drops startup file 2 IoCs

Processes:

WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINPLAYEER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE

Suspicious use of SetThreadContext 12 IoCs

Processes:

USBDRVI.EXEWINPLAYEER.EXEDRVHDD.EXEWINPLAYEER.EXEDRVHDD.EXEWINCPU.EXEUSBDRVI.EXEWINLOGONW.EXEWINLOGONW.EXEWINCPU.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 3556 set thread context of 6044	3556	USBDRVI.EXE	USBDRVI.EXE
PID 4236 set thread context of 6036	4236	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 3268 set thread context of 6088	3268	DRVHDD.EXE	DRVHDD.EXE
PID 3416 set thread context of 2308	3416	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 976 set thread context of 3448	976	DRVHDD.EXE	DRVHDD.EXE
PID 3812 set thread context of 3520	3812	WINCPU.EXE	WINCPU.EXE
PID 792 set thread context of 1724	792	USBDRVI.EXE	USBDRVI.EXE
PID 3816 set thread context of 3884	3816	WINLOGONW.EXE	WINLOGONW.EXE
PID 3452 set thread context of 4272	3452	WINLOGONW.EXE	WINLOGONW.EXE
PID 4924 set thread context of 5840	4924	WINCPU.EXE	WINCPU.EXE
PID 616 set thread context of 1904	616	wintsklt.exe	wintsklt.exe
PID 5152 set thread context of 3092	5152	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4208 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4800 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINPLAYEER.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINPLAYEER.EXE

pid	process
4208	schtasks.exe

pid	process
4800	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUSBDRVI.EXEUSBDRVI.EXEWINPLAYEER.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEWINCPU.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEpowershell.exe

pid	process
5060	powershell.exe
5060	powershell.exe
1628	powershell.exe
1628	powershell.exe
1680	powershell.exe
1680	powershell.exe
784	powershell.exe
784	powershell.exe
1496	powershell.exe
1496	powershell.exe
728	powershell.exe
728	powershell.exe
1948	powershell.exe
1948	powershell.exe
2144	powershell.exe
2144	powershell.exe
4104	powershell.exe
4104	powershell.exe
1800	powershell.exe
1800	powershell.exe
1628	powershell.exe
784	powershell.exe
5060	powershell.exe
728	powershell.exe
1496	powershell.exe
1680	powershell.exe
2144	powershell.exe
1948	powershell.exe
4104	powershell.exe
1800	powershell.exe
3556	USBDRVI.EXE
3556	USBDRVI.EXE
792	USBDRVI.EXE
792	USBDRVI.EXE
4236	WINPLAYEER.EXE
4236	WINPLAYEER.EXE
3268	DRVHDD.EXE
3268	DRVHDD.EXE
3416	WINPLAYEER.EXE
3416	WINPLAYEER.EXE
792	USBDRVI.EXE
792	USBDRVI.EXE
3452	WINLOGONW.EXE
3452	WINLOGONW.EXE
3812	WINCPU.EXE
3812	WINCPU.EXE
792	USBDRVI.EXE
792	USBDRVI.EXE
3816	WINLOGONW.EXE
3816	WINLOGONW.EXE
976	DRVHDD.EXE
976	DRVHDD.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
4924	WINCPU.EXE
1420	powershell.exe
1420	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWINPLAYEER.EXEUSBDRVI.EXEUSBDRVI.EXEDRVHDD.EXEWINPLAYEER.EXEWINLOGONW.EXEWINCPU.EXEWINLOGONW.EXEWINCPU.EXEDRVHDD.EXEDRVHDD.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeSecurityPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeTakeOwnershipPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeLoadDriverPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeSystemProfilePrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeSystemtimePrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeProfSingleProcessPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeIncBasePriorityPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeCreatePagefilePrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeBackupPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeRestorePrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeShutdownPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeDebugPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeSystemEnvironmentPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeChangeNotifyPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeRemoteShutdownPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeUndockPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeManageVolumePrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeImpersonatePrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeCreateGlobalPrivilege	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: 33	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: 34	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: 35	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: 36	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4236	WINPLAYEER.EXE
Token: SeDebugPrivilege	3556	USBDRVI.EXE
Token: SeDebugPrivilege	792	USBDRVI.EXE
Token: SeDebugPrivilege	3268	DRVHDD.EXE
Token: SeDebugPrivilege	3416	WINPLAYEER.EXE
Token: SeDebugPrivilege	3452	WINLOGONW.EXE
Token: SeDebugPrivilege	3812	WINCPU.EXE
Token: SeDebugPrivilege	3816	WINLOGONW.EXE
Token: SeDebugPrivilege	4924	WINCPU.EXE
Token: SeDebugPrivilege	976	DRVHDD.EXE
Token: SeIncreaseQuotaPrivilege	6088	DRVHDD.EXE
Token: SeSecurityPrivilege	6088	DRVHDD.EXE
Token: SeTakeOwnershipPrivilege	6088	DRVHDD.EXE
Token: SeLoadDriverPrivilege	6088	DRVHDD.EXE
Token: SeSystemProfilePrivilege	6088	DRVHDD.EXE
Token: SeSystemtimePrivilege	6088	DRVHDD.EXE
Token: SeProfSingleProcessPrivilege	6088	DRVHDD.EXE
Token: SeIncBasePriorityPrivilege	6088	DRVHDD.EXE
Token: SeCreatePagefilePrivilege	6088	DRVHDD.EXE
Token: SeBackupPrivilege	6088	DRVHDD.EXE
Token: SeRestorePrivilege	6088	DRVHDD.EXE
Token: SeShutdownPrivilege	6088	DRVHDD.EXE
Token: SeDebugPrivilege	6088	DRVHDD.EXE
Token: SeSystemEnvironmentPrivilege	6088	DRVHDD.EXE
Token: SeChangeNotifyPrivilege	6088	DRVHDD.EXE
Token: SeRemoteShutdownPrivilege	6088	DRVHDD.EXE
Token: SeUndockPrivilege	6088	DRVHDD.EXE
Token: SeManageVolumePrivilege	6088	DRVHDD.EXE
Token: SeImpersonatePrivilege	6088	DRVHDD.EXE
Token: SeCreateGlobalPrivilege	6088	DRVHDD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exeDRVHDD.EXE

pid process

4356 b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
6088 DRVHDD.EXE

pid	process
4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
6088	DRVHDD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exeUSBDRVI.EXEWINLOGONW.EXEWINPLAYEER.EXEWINLOGONW.EXEWINCPU.EXEWINPLAYEER.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEDRVHDD.EXE

description	pid	process	target process
PID 4356 wrote to memory of 3268	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	DRVHDD.EXE
PID 4356 wrote to memory of 3268	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	DRVHDD.EXE
PID 4356 wrote to memory of 3268	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	DRVHDD.EXE
PID 4356 wrote to memory of 792	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	USBDRVI.EXE
PID 4356 wrote to memory of 792	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	USBDRVI.EXE
PID 4356 wrote to memory of 792	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	USBDRVI.EXE
PID 4356 wrote to memory of 3812	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINCPU.EXE
PID 4356 wrote to memory of 3812	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINCPU.EXE
PID 4356 wrote to memory of 3812	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINCPU.EXE
PID 4356 wrote to memory of 3816	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINLOGONW.EXE
PID 4356 wrote to memory of 3816	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINLOGONW.EXE
PID 4356 wrote to memory of 3816	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINLOGONW.EXE
PID 4356 wrote to memory of 4236	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINPLAYEER.EXE
PID 4356 wrote to memory of 4236	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINPLAYEER.EXE
PID 4356 wrote to memory of 4236	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINPLAYEER.EXE
PID 4356 wrote to memory of 976	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	DRVHDD.EXE
PID 4356 wrote to memory of 976	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	DRVHDD.EXE
PID 4356 wrote to memory of 976	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	DRVHDD.EXE
PID 4356 wrote to memory of 3556	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	USBDRVI.EXE
PID 4356 wrote to memory of 3556	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	USBDRVI.EXE
PID 4356 wrote to memory of 3556	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	USBDRVI.EXE
PID 4356 wrote to memory of 4924	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINCPU.EXE
PID 4356 wrote to memory of 4924	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINCPU.EXE
PID 4356 wrote to memory of 4924	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINCPU.EXE
PID 4356 wrote to memory of 3452	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINLOGONW.EXE
PID 4356 wrote to memory of 3452	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINLOGONW.EXE
PID 4356 wrote to memory of 3452	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINLOGONW.EXE
PID 4356 wrote to memory of 3416	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINPLAYEER.EXE
PID 4356 wrote to memory of 3416	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINPLAYEER.EXE
PID 4356 wrote to memory of 3416	4356	b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe	WINPLAYEER.EXE
PID 792 wrote to memory of 1628	792	USBDRVI.EXE	powershell.exe
PID 792 wrote to memory of 1628	792	USBDRVI.EXE	powershell.exe
PID 792 wrote to memory of 1628	792	USBDRVI.EXE	powershell.exe
PID 3452 wrote to memory of 1800	3452	WINLOGONW.EXE	powershell.exe
PID 3452 wrote to memory of 1800	3452	WINLOGONW.EXE	powershell.exe
PID 3452 wrote to memory of 1800	3452	WINLOGONW.EXE	powershell.exe
PID 4236 wrote to memory of 784	4236	WINPLAYEER.EXE	powershell.exe
PID 4236 wrote to memory of 784	4236	WINPLAYEER.EXE	powershell.exe
PID 4236 wrote to memory of 784	4236	WINPLAYEER.EXE	powershell.exe
PID 3816 wrote to memory of 1948	3816	WINLOGONW.EXE	powershell.exe
PID 3816 wrote to memory of 1948	3816	WINLOGONW.EXE	powershell.exe
PID 3816 wrote to memory of 1948	3816	WINLOGONW.EXE	powershell.exe
PID 3812 wrote to memory of 1680	3812	WINCPU.EXE	powershell.exe
PID 3812 wrote to memory of 1680	3812	WINCPU.EXE	powershell.exe
PID 3812 wrote to memory of 1680	3812	WINCPU.EXE	powershell.exe
PID 3416 wrote to memory of 728	3416	WINPLAYEER.EXE	powershell.exe
PID 3416 wrote to memory of 728	3416	WINPLAYEER.EXE	powershell.exe
PID 3268 wrote to memory of 1496	3268	DRVHDD.EXE	powershell.exe
PID 3416 wrote to memory of 728	3416	WINPLAYEER.EXE	powershell.exe
PID 3268 wrote to memory of 1496	3268	DRVHDD.EXE	powershell.exe
PID 3268 wrote to memory of 1496	3268	DRVHDD.EXE	powershell.exe
PID 3556 wrote to memory of 5060	3556	USBDRVI.EXE	powershell.exe
PID 3556 wrote to memory of 5060	3556	USBDRVI.EXE	powershell.exe
PID 3556 wrote to memory of 5060	3556	USBDRVI.EXE	powershell.exe
PID 4924 wrote to memory of 4104	4924	WINCPU.EXE	powershell.exe
PID 4924 wrote to memory of 4104	4924	WINCPU.EXE	powershell.exe
PID 4924 wrote to memory of 4104	4924	WINCPU.EXE	powershell.exe
PID 976 wrote to memory of 2144	976	DRVHDD.EXE	powershell.exe
PID 976 wrote to memory of 2144	976	DRVHDD.EXE	powershell.exe
PID 976 wrote to memory of 2144	976	DRVHDD.EXE	powershell.exe
PID 3556 wrote to memory of 6044	3556	USBDRVI.EXE	USBDRVI.EXE
PID 3556 wrote to memory of 6044	3556	USBDRVI.EXE	USBDRVI.EXE
PID 3556 wrote to memory of 6044	3556	USBDRVI.EXE	USBDRVI.EXE
PID 3556 wrote to memory of 6044	3556	USBDRVI.EXE	USBDRVI.EXE

C:\Users\Admin\AppData\Local\Temp\b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe
"C:\Users\Admin\AppData\Local\Temp\b77017cc9d6f22acc41306ce5b46076ad54520ac4de7e7a224476861024f7e7e.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6088

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
3⤵
- Executes dropped EXE
PID:6056

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
3⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
4⤵
- Creates scheduled task(s)
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.bat""
4⤵
PID:4772

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:4800

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:5152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:3928

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
6⤵
- Executes dropped EXE
PID:6076

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
6⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
3⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:6036

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
5⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3448

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
3⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
3⤵
- Executes dropped EXE
PID:5836

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
3⤵
- Executes dropped EXE
PID:5840

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
3⤵
- Executes dropped EXE
PID:2308

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
3⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
3⤵
- Executes dropped EXE
PID:6044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:5412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVHDD.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USBDRVI.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPU.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINLOGONW.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINPLAYEER.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
9912f1d8f296163c70f40dd96c79fa56

SHA1
70c265c6be5865e5bedbcd72cb692e16ed9e939d

SHA256
dae20086000542d5b70876f0fdbf3d321d23ca2bd2d0f9aa677ed5bde1932ade

SHA512
342fda3e29ac1716fb3237e5b87392944310447d33cc21388e8f99af298c60fca2f938426868f00c5a693663041c8240c41fd17b34e3967822379fbc37d6480e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
9912f1d8f296163c70f40dd96c79fa56

SHA1
70c265c6be5865e5bedbcd72cb692e16ed9e939d

SHA256
dae20086000542d5b70876f0fdbf3d321d23ca2bd2d0f9aa677ed5bde1932ade

SHA512
342fda3e29ac1716fb3237e5b87392944310447d33cc21388e8f99af298c60fca2f938426868f00c5a693663041c8240c41fd17b34e3967822379fbc37d6480e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
f3433a9fc08d23c798b72de49b83ba8c

SHA1
aca7fd61db847538ad4746fb55c536597f7e1bcf

SHA256
b05d13e98a87b090ea92c820c7740598de154b978d6c3608a11b480c7bc80a52

SHA512
f46b234f0699fba5f17a8249220e1bf5001e3525e0fe38a3d2fbe555d7a0ef401e1ad986df2ee2be4a32bf7ea0ede16a1b3869b828a52f7c4872e5357cc85e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
4fc08d38a86a0f9c399859b94210267e

SHA1
ff92364766c113b80f8945d88da65e26020c71c1

SHA256
6d9611adaf5dbc003f779c4b7116cf67e7221c3d89d09661811359e1d5a56b35

SHA512
e3b6c332f8487526ec5cc8d31f57aef27ee9f252cc187d9029054b41d3d34b17ebda869da7d55030ca563cd2939534baa26eb7e0996407db7721b7de346b598e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
67d8145f5b2ccabdd922469a8c65e9ac

SHA1
856cc2cc77d21c5fc28b74837189591812ea47aa

SHA256
bdd32f8f448aaed8f412ba475952d9af7b34a140449dc682b7441922621aeea8

SHA512
618959bdc5c04f52999783e2d018ee6552b4e17b2d61131350cf7d7173057c6709671446413206d1bd17474c609ae20da3be62183e9cb8d0ff9a64a8c0aac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
67d8145f5b2ccabdd922469a8c65e9ac

SHA1
856cc2cc77d21c5fc28b74837189591812ea47aa

SHA256
bdd32f8f448aaed8f412ba475952d9af7b34a140449dc682b7441922621aeea8

SHA512
618959bdc5c04f52999783e2d018ee6552b4e17b2d61131350cf7d7173057c6709671446413206d1bd17474c609ae20da3be62183e9cb8d0ff9a64a8c0aac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
67d8145f5b2ccabdd922469a8c65e9ac

SHA1
856cc2cc77d21c5fc28b74837189591812ea47aa

SHA256
bdd32f8f448aaed8f412ba475952d9af7b34a140449dc682b7441922621aeea8

SHA512
618959bdc5c04f52999783e2d018ee6552b4e17b2d61131350cf7d7173057c6709671446413206d1bd17474c609ae20da3be62183e9cb8d0ff9a64a8c0aac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
67d8145f5b2ccabdd922469a8c65e9ac

SHA1
856cc2cc77d21c5fc28b74837189591812ea47aa

SHA256
bdd32f8f448aaed8f412ba475952d9af7b34a140449dc682b7441922621aeea8

SHA512
618959bdc5c04f52999783e2d018ee6552b4e17b2d61131350cf7d7173057c6709671446413206d1bd17474c609ae20da3be62183e9cb8d0ff9a64a8c0aac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
67d8145f5b2ccabdd922469a8c65e9ac

SHA1
856cc2cc77d21c5fc28b74837189591812ea47aa

SHA256
bdd32f8f448aaed8f412ba475952d9af7b34a140449dc682b7441922621aeea8

SHA512
618959bdc5c04f52999783e2d018ee6552b4e17b2d61131350cf7d7173057c6709671446413206d1bd17474c609ae20da3be62183e9cb8d0ff9a64a8c0aac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
67d8145f5b2ccabdd922469a8c65e9ac

SHA1
856cc2cc77d21c5fc28b74837189591812ea47aa

SHA256
bdd32f8f448aaed8f412ba475952d9af7b34a140449dc682b7441922621aeea8

SHA512
618959bdc5c04f52999783e2d018ee6552b4e17b2d61131350cf7d7173057c6709671446413206d1bd17474c609ae20da3be62183e9cb8d0ff9a64a8c0aac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
64f99832430dfc9f368b834b2b841ae2

SHA1
482633b63ce60755fdde588abdf4acaee7947d4c

SHA256
ab73a360b34f077a9f9e51db6178ab5b68eb4a7ff1d9a449713a85ca8249a53c

SHA512
e5bf04aa0bfbc210ea6f9c36dfb543d3f42ba141ca523140dc3ed88804efa9fc7ba37c5784d408eadd9b76c188ea54e6eca21ebb9b61d72c9a586853e39aa750

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.bat
Filesize
151B

MD5
977272cbe7c68f3bb08b6f75aace1b08

SHA1
f75dfb173c8b3182ad7011fbdaf541987ab7e8df

SHA256
f1929f0519282d2da671c34ab74a51f41b0159401040444cac91866b6e6e0dc8

SHA512
2aa6b0312a9ca2757ca3bee3dfbdb9aeac2e58bb35394be0f822b2e28d72664df0c7a752c7694ce4370818ab8b883afe6f6060e181284803c20e74fab8652542

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
43.3MB

MD5
0b500c2f89a53fd6482be895e463013a

SHA1
7a6b677a1fbb9006eee2521e220d95579a7c345b

SHA256
bf07d177296525468824f4a4c3434575d45929f49b3a9390f79af8d50165842a

SHA512
416d7d114a784a1d4aaad133f260141f244c54674c950f564ce84710b2cd6f74ebd9e296416e65a253790b2137447bf05d5c912f219d78547b485f29fb97a2fc

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
43.3MB

MD5
0b500c2f89a53fd6482be895e463013a

SHA1
7a6b677a1fbb9006eee2521e220d95579a7c345b

SHA256
bf07d177296525468824f4a4c3434575d45929f49b3a9390f79af8d50165842a

SHA512
416d7d114a784a1d4aaad133f260141f244c54674c950f564ce84710b2cd6f74ebd9e296416e65a253790b2137447bf05d5c912f219d78547b485f29fb97a2fc

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
43.3MB

MD5
0b500c2f89a53fd6482be895e463013a

SHA1
7a6b677a1fbb9006eee2521e220d95579a7c345b

SHA256
bf07d177296525468824f4a4c3434575d45929f49b3a9390f79af8d50165842a

SHA512
416d7d114a784a1d4aaad133f260141f244c54674c950f564ce84710b2cd6f74ebd9e296416e65a253790b2137447bf05d5c912f219d78547b485f29fb97a2fc

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
43.3MB

MD5
0b500c2f89a53fd6482be895e463013a

SHA1
7a6b677a1fbb9006eee2521e220d95579a7c345b

SHA256
bf07d177296525468824f4a4c3434575d45929f49b3a9390f79af8d50165842a

SHA512
416d7d114a784a1d4aaad133f260141f244c54674c950f564ce84710b2cd6f74ebd9e296416e65a253790b2137447bf05d5c912f219d78547b485f29fb97a2fc

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/616-274-0x0000000000000000-mapping.dmp

Download
memory/728-181-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/728-170-0x0000000000000000-mapping.dmp

Download
memory/784-182-0x0000000006070000-0x000000000608A000-memory.dmp

Filesize
104KB

Download
memory/784-167-0x0000000000000000-mapping.dmp

Download
memory/792-152-0x0000000000110000-0x0000000000184000-memory.dmp

Filesize
464KB

Download
memory/792-134-0x0000000000000000-mapping.dmp

Download
memory/976-147-0x0000000000000000-mapping.dmp

Download
memory/1420-279-0x0000000000000000-mapping.dmp

Download
memory/1496-171-0x0000000000000000-mapping.dmp

Download
memory/1628-178-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/1628-175-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download
memory/1628-179-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/1628-165-0x0000000000000000-mapping.dmp

Download
memory/1628-180-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/1680-169-0x0000000000000000-mapping.dmp

Download
memory/1724-268-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1724-220-0x0000000000000000-mapping.dmp

Download
memory/1724-271-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1800-166-0x0000000000000000-mapping.dmp

Download
memory/1904-295-0x0000000000000000-mapping.dmp

Download
memory/1904-301-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1904-305-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1948-168-0x0000000000000000-mapping.dmp

Download
memory/2144-174-0x0000000000000000-mapping.dmp

Download
memory/2308-210-0x0000000000000000-mapping.dmp

Download
memory/2308-249-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2308-270-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2880-232-0x0000000000000000-mapping.dmp

Download
memory/3092-308-0x0000000000000000-mapping.dmp

Download
memory/3268-132-0x0000000000000000-mapping.dmp

Download
memory/3268-155-0x0000000000880000-0x0000000000920000-memory.dmp

Filesize
640KB

Download
memory/3416-159-0x0000000000000000-mapping.dmp

Download
memory/3448-230-0x0000000000000000-mapping.dmp

Download
memory/3448-259-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3452-157-0x0000000000000000-mapping.dmp

Download
memory/3520-219-0x0000000000000000-mapping.dmp

Download
memory/3520-284-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/3520-234-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3556-161-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/3556-149-0x0000000000000000-mapping.dmp

Download
memory/3812-163-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/3812-151-0x00000000001F0000-0x0000000000258000-memory.dmp

Filesize
416KB

Download
memory/3812-138-0x0000000000000000-mapping.dmp

Download
memory/3816-140-0x0000000000000000-mapping.dmp

Download
memory/3816-156-0x0000000000090000-0x0000000000102000-memory.dmp

Filesize
456KB

Download
memory/3884-267-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3884-236-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3884-252-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3884-287-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3884-223-0x0000000000000000-mapping.dmp

Download
memory/3928-300-0x0000000000000000-mapping.dmp

Download
memory/4104-173-0x0000000000000000-mapping.dmp

Download
memory/4208-288-0x0000000000000000-mapping.dmp

Download
memory/4236-144-0x0000000000000000-mapping.dmp

Download
memory/4236-154-0x0000000000CB0000-0x0000000000D26000-memory.dmp

Filesize
472KB

Download
memory/4272-216-0x0000000000000000-mapping.dmp

Download
memory/4272-269-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4272-272-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4772-289-0x0000000000000000-mapping.dmp

Download
memory/4788-303-0x0000000000000000-mapping.dmp

Download
memory/4788-304-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/4800-291-0x0000000000000000-mapping.dmp

Download
memory/4924-164-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/4924-153-0x0000000000000000-mapping.dmp

Download
memory/5060-172-0x0000000000000000-mapping.dmp

Download
memory/5060-176-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/5060-177-0x00000000053F0000-0x0000000005412000-memory.dmp

Filesize
136KB

Download
memory/5152-292-0x0000000000000000-mapping.dmp

Download
memory/5412-280-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/5412-273-0x0000000000000000-mapping.dmp

Download
memory/5836-261-0x0000000000000000-mapping.dmp

Download
memory/5840-263-0x0000000000000000-mapping.dmp

Download
memory/5888-278-0x0000000000000000-mapping.dmp

Download
memory/5888-282-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/6036-209-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6036-201-0x0000000000000000-mapping.dmp

Download
memory/6036-277-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6036-203-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6036-206-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6044-202-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6044-195-0x0000000000000000-mapping.dmp

Download
memory/6044-196-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6044-207-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6044-285-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6056-197-0x0000000000000000-mapping.dmp

Download
memory/6076-306-0x0000000000000000-mapping.dmp

Download
memory/6088-286-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6088-217-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6088-239-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6088-208-0x0000000000000000-mapping.dmp

Download
memory/6088-222-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6088-226-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6088-224-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download