darkcomet | d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc

Analysis

max time kernel
93s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Size

3.6MB
MD5

7fee70edac93dbec8a5a602b33b97d0b
SHA1

f9595e9e4572dd068a70502faf7717328d8d30ca
SHA256

d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc
SHA512

f04c2457c481ff0ea7de2f0d7bb690ebc0a24d5eebb997075ded14ef0d34becc3d045ab1d57a27657bc85fef3031e5bb7e62548ce3c4e26d3596f16a657c982f
SSDEEP

98304:aQU/QvsjfLP3L4LP1TRDLPo6oELPb/wULPXFLPp:aQjsjff4ZpjvPZxt

Score

10^/10

darkcomet warzonerat new-july-july4-0 infostealer rat trojan upx

Malware Config

Extracted

Family

warzonerat

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 21 IoCs

rat

resource	yara_rule
behavioral1/memory/2516-180-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2504-179-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-184-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2504-183-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-193-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2504-192-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-201-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2504-200-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-197-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2516-207-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2504-206-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2504-211-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2532-216-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2504-244-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-243-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2532-246-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2504-249-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-250-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2532-251-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2532-254-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2516-256-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 16 IoCs

pid	Process
796	ADOBESTV.EXE
1312	DRVHDD.EXE
664	USBDRVI.EXE
768	WINCPU.EXE
1516	WINLOGONW.EXE
1296	WINPLAYEER.EXE
1876	ADOBESTV.EXE
1008	DRVHDD.EXE
864	USBDRVI.EXE
1812	WINCPU.EXE
2452	USBDRVI.EXE
2484	USBDRVI.EXE
2472	DRVHDD.EXE
2516	WINLOGONW.EXE
2504	USBDRVI.EXE
2532	USBDRVI.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2472-159-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2472-169-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2472-182-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2472-191-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2472-198-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2472-204-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2564-208-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2472-226-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-245-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2564-247-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2472-248-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2564-252-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Loads dropped DLL 17 IoCs

pid	Process
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
864	USBDRVI.EXE
1312	DRVHDD.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
1516	WINLOGONW.EXE
664	USBDRVI.EXE

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 2472	1312	DRVHDD.EXE	56
PID 1516 set thread context of 2516	1516	WINLOGONW.EXE	53
PID 864 set thread context of 2504	864	USBDRVI.EXE	54
PID 664 set thread context of 2532	664	USBDRVI.EXE	57
PID 1876 set thread context of 2564	1876	ADOBESTV.EXE	59
PID 796 set thread context of 2436	796	ADOBESTV.EXE	58

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
748	powershell.exe
580	powershell.exe
564	powershell.exe
1544	powershell.exe
524	powershell.exe
1924	powershell.exe
864	USBDRVI.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
1312	DRVHDD.EXE
1312	DRVHDD.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
864	USBDRVI.EXE
1516	WINLOGONW.EXE
1516	WINLOGONW.EXE
664	USBDRVI.EXE
664	USBDRVI.EXE
1876	ADOBESTV.EXE
1876	ADOBESTV.EXE
796	ADOBESTV.EXE
796	ADOBESTV.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSecurityPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeTakeOwnershipPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeLoadDriverPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSystemProfilePrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSystemtimePrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeProfSingleProcessPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeIncBasePriorityPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeCreatePagefilePrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeBackupPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeRestorePrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeShutdownPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeDebugPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeSystemEnvironmentPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeChangeNotifyPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeRemoteShutdownPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeUndockPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeManageVolumePrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeImpersonatePrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeCreateGlobalPrivilege	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 33	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 34	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: 35	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	864	USBDRVI.EXE
Token: SeDebugPrivilege	1312	DRVHDD.EXE
Token: SeDebugPrivilege	1516	WINLOGONW.EXE
Token: SeDebugPrivilege	664	USBDRVI.EXE
Token: SeIncreaseQuotaPrivilege	2472	DRVHDD.EXE
Token: SeSecurityPrivilege	2472	DRVHDD.EXE
Token: SeTakeOwnershipPrivilege	2472	DRVHDD.EXE
Token: SeLoadDriverPrivilege	2472	DRVHDD.EXE
Token: SeSystemProfilePrivilege	2472	DRVHDD.EXE
Token: SeSystemtimePrivilege	2472	DRVHDD.EXE
Token: SeProfSingleProcessPrivilege	2472	DRVHDD.EXE
Token: SeIncBasePriorityPrivilege	2472	DRVHDD.EXE
Token: SeCreatePagefilePrivilege	2472	DRVHDD.EXE
Token: SeBackupPrivilege	2472	DRVHDD.EXE
Token: SeRestorePrivilege	2472	DRVHDD.EXE
Token: SeShutdownPrivilege	2472	DRVHDD.EXE
Token: SeDebugPrivilege	2472	DRVHDD.EXE
Token: SeSystemEnvironmentPrivilege	2472	DRVHDD.EXE
Token: SeChangeNotifyPrivilege	2472	DRVHDD.EXE
Token: SeRemoteShutdownPrivilege	2472	DRVHDD.EXE
Token: SeUndockPrivilege	2472	DRVHDD.EXE
Token: SeManageVolumePrivilege	2472	DRVHDD.EXE
Token: SeImpersonatePrivilege	2472	DRVHDD.EXE
Token: SeCreateGlobalPrivilege	2472	DRVHDD.EXE
Token: 33	2472	DRVHDD.EXE
Token: 34	2472	DRVHDD.EXE
Token: 35	2472	DRVHDD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2472	DRVHDD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 796	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	28
PID 1648 wrote to memory of 796	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	28
PID 1648 wrote to memory of 796	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	28
PID 1648 wrote to memory of 796	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	28
PID 1648 wrote to memory of 1312	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	29
PID 1648 wrote to memory of 1312	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	29
PID 1648 wrote to memory of 1312	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	29
PID 1648 wrote to memory of 1312	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	29
PID 1648 wrote to memory of 664	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	30
PID 1648 wrote to memory of 664	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	30
PID 1648 wrote to memory of 664	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	30
PID 1648 wrote to memory of 664	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	30
PID 1648 wrote to memory of 768	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	31
PID 1648 wrote to memory of 768	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	31
PID 1648 wrote to memory of 768	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	31
PID 1648 wrote to memory of 768	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	31
PID 1648 wrote to memory of 1516	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	32
PID 1648 wrote to memory of 1516	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	32
PID 1648 wrote to memory of 1516	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	32
PID 1648 wrote to memory of 1516	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	32
PID 1648 wrote to memory of 1296	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	33
PID 1648 wrote to memory of 1296	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	33
PID 1648 wrote to memory of 1296	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	33
PID 1648 wrote to memory of 1296	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	33
PID 1648 wrote to memory of 1876	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	34
PID 1648 wrote to memory of 1876	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	34
PID 1648 wrote to memory of 1876	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	34
PID 1648 wrote to memory of 1876	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	34
PID 1648 wrote to memory of 1008	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	35
PID 1648 wrote to memory of 1008	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	35
PID 1648 wrote to memory of 1008	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	35
PID 1648 wrote to memory of 1008	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	35
PID 1648 wrote to memory of 864	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	36
PID 1648 wrote to memory of 864	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	36
PID 1648 wrote to memory of 864	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	36
PID 1648 wrote to memory of 864	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	36
PID 1648 wrote to memory of 1812	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	37
PID 1648 wrote to memory of 1812	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	37
PID 1648 wrote to memory of 1812	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	37
PID 1648 wrote to memory of 1812	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	37
PID 1648 wrote to memory of 1844	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	38
PID 1648 wrote to memory of 1844	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	38
PID 1648 wrote to memory of 1844	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	38
PID 1648 wrote to memory of 1844	1648	d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe	38
PID 1296 wrote to memory of 376	1296	WINPLAYEER.EXE	44
PID 1296 wrote to memory of 376	1296	WINPLAYEER.EXE	44
PID 1296 wrote to memory of 376	1296	WINPLAYEER.EXE	44
PID 1296 wrote to memory of 376	1296	WINPLAYEER.EXE	44
PID 1516 wrote to memory of 580	1516	WINLOGONW.EXE	43
PID 1516 wrote to memory of 580	1516	WINLOGONW.EXE	43
PID 1516 wrote to memory of 580	1516	WINLOGONW.EXE	43
PID 1516 wrote to memory of 580	1516	WINLOGONW.EXE	43
PID 1876 wrote to memory of 524	1876	ADOBESTV.EXE	42
PID 1876 wrote to memory of 524	1876	ADOBESTV.EXE	42
PID 1876 wrote to memory of 524	1876	ADOBESTV.EXE	42
PID 1876 wrote to memory of 524	1876	ADOBESTV.EXE	42
PID 864 wrote to memory of 564	864	USBDRVI.EXE	39
PID 864 wrote to memory of 564	864	USBDRVI.EXE	39
PID 864 wrote to memory of 564	864	USBDRVI.EXE	39
PID 864 wrote to memory of 564	864	USBDRVI.EXE	39
PID 1312 wrote to memory of 1924	1312	DRVHDD.EXE	40
PID 1312 wrote to memory of 1924	1312	DRVHDD.EXE	40
PID 1312 wrote to memory of 1924	1312	DRVHDD.EXE	40
PID 1312 wrote to memory of 1924	1312	DRVHDD.EXE	40

C:\Users\Admin\AppData\Local\Temp\d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe
"C:\Users\Admin\AppData\Local\Temp\d9ec2e333a48365878a8fe44e287111e73e43a8314ab717bfd20f9ef1bde9afc.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
  "C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
  "C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
    C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
  "C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    3⤵
    - Executes dropped EXE
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
    C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
    3⤵
    - Executes dropped EXE
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:376
- C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
  "C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
  "C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
  "C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    3⤵
    - Executes dropped EXE
    PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
    3⤵
    - Executes dropped EXE
    PID:2484
- C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
  2⤵
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5298d6a886610d710a1c44164d692448

SHA1
c12a633edca8de5cccc3aab91972622b557d7f40

SHA256
f63f809a0aef0a58d0220d20c8621db6d1a930e8838af55497b81c42f6a38a33

SHA512
ebec6ae1c416ffbbf6ea45da2e1cfdb23a0d60d5fa85c914fc8ebce87ae26a4bf4e5ec3f3cbd3fef0113b42a1da2cfe43688a70b1b99e3f7a692fb44906f9309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5298d6a886610d710a1c44164d692448

SHA1
c12a633edca8de5cccc3aab91972622b557d7f40

SHA256
f63f809a0aef0a58d0220d20c8621db6d1a930e8838af55497b81c42f6a38a33

SHA512
ebec6ae1c416ffbbf6ea45da2e1cfdb23a0d60d5fa85c914fc8ebce87ae26a4bf4e5ec3f3cbd3fef0113b42a1da2cfe43688a70b1b99e3f7a692fb44906f9309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5298d6a886610d710a1c44164d692448

SHA1
c12a633edca8de5cccc3aab91972622b557d7f40

SHA256
f63f809a0aef0a58d0220d20c8621db6d1a930e8838af55497b81c42f6a38a33

SHA512
ebec6ae1c416ffbbf6ea45da2e1cfdb23a0d60d5fa85c914fc8ebce87ae26a4bf4e5ec3f3cbd3fef0113b42a1da2cfe43688a70b1b99e3f7a692fb44906f9309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5298d6a886610d710a1c44164d692448

SHA1
c12a633edca8de5cccc3aab91972622b557d7f40

SHA256
f63f809a0aef0a58d0220d20c8621db6d1a930e8838af55497b81c42f6a38a33

SHA512
ebec6ae1c416ffbbf6ea45da2e1cfdb23a0d60d5fa85c914fc8ebce87ae26a4bf4e5ec3f3cbd3fef0113b42a1da2cfe43688a70b1b99e3f7a692fb44906f9309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5298d6a886610d710a1c44164d692448

SHA1
c12a633edca8de5cccc3aab91972622b557d7f40

SHA256
f63f809a0aef0a58d0220d20c8621db6d1a930e8838af55497b81c42f6a38a33

SHA512
ebec6ae1c416ffbbf6ea45da2e1cfdb23a0d60d5fa85c914fc8ebce87ae26a4bf4e5ec3f3cbd3fef0113b42a1da2cfe43688a70b1b99e3f7a692fb44906f9309

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE

Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE

Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE

Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE

Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE

Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE

Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
memory/376-116-0x0000000000000000-mapping.dmp

Download
memory/524-138-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/524-152-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/524-144-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/524-118-0x0000000000000000-mapping.dmp

Download
memory/564-119-0x0000000000000000-mapping.dmp

Download
memory/564-136-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/564-147-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/564-142-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/580-149-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/580-117-0x0000000000000000-mapping.dmp

Download
memory/580-143-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/580-137-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/664-64-0x0000000000000000-mapping.dmp

Download
memory/664-81-0x00000000002B0000-0x0000000000324000-memory.dmp

Filesize
464KB

Download
memory/664-109-0x0000000002010000-0x000000000206C000-memory.dmp

Filesize
368KB

Download
memory/748-122-0x0000000000000000-mapping.dmp

Download
memory/748-145-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/748-139-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/748-150-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/768-83-0x0000000001370000-0x00000000013D8000-memory.dmp

Filesize
416KB

Download
memory/768-67-0x0000000000000000-mapping.dmp

Download
memory/796-56-0x0000000000000000-mapping.dmp

Download
memory/796-110-0x00000000008E0000-0x0000000000982000-memory.dmp

Filesize
648KB

Download
memory/796-80-0x0000000001180000-0x000000000123A000-memory.dmp

Filesize
744KB

Download
memory/864-92-0x0000000000000000-mapping.dmp

Download
memory/1008-89-0x0000000000000000-mapping.dmp

Download
memory/1296-115-0x0000000004390000-0x00000000043DC000-memory.dmp

Filesize
304KB

Download
memory/1296-76-0x0000000000000000-mapping.dmp

Download
memory/1296-111-0x00000000006A0000-0x00000000006FC000-memory.dmp

Filesize
368KB

Download
memory/1296-82-0x0000000000F10000-0x0000000000F86000-memory.dmp

Filesize
472KB

Download
memory/1312-112-0x00000000047D0000-0x0000000004858000-memory.dmp

Filesize
544KB

Download
memory/1312-84-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/1312-59-0x0000000000000000-mapping.dmp

Download
memory/1516-79-0x0000000000970000-0x00000000009E2000-memory.dmp

Filesize
456KB

Download
memory/1516-71-0x0000000000000000-mapping.dmp

Download
memory/1516-113-0x00000000005B0000-0x000000000060A000-memory.dmp

Filesize
360KB

Download
memory/1544-141-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-121-0x0000000000000000-mapping.dmp

Download
memory/1544-135-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-148-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1812-94-0x0000000000000000-mapping.dmp

Download
memory/1844-101-0x0000000000000000-mapping.dmp

Download
memory/1876-86-0x0000000000000000-mapping.dmp

Download
memory/1876-114-0x0000000000A70000-0x0000000000B12000-memory.dmp

Filesize
648KB

Download
memory/1924-120-0x0000000000000000-mapping.dmp

Download
memory/1924-134-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-140-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-146-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-253-0x0000000000000000-mapping.dmp

Download
memory/2436-229-0x00000000004C6E20-mapping.dmp

Download
memory/2436-245-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2472-226-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-169-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-155-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-186-0x00000000004B56A0-mapping.dmp

Download
memory/2472-248-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-159-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-182-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-204-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-198-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2472-191-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2504-173-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-211-0x0000000000406DE6-mapping.dmp

Download
memory/2504-200-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-192-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-244-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-166-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-206-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-249-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-179-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-161-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2504-183-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2516-163-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-184-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-256-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-250-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-180-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-174-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-193-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-207-0x0000000000405CE2-mapping.dmp

Download
memory/2516-197-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-243-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-167-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2516-201-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2532-246-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2532-216-0x0000000000406DE6-mapping.dmp

Download
memory/2532-251-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2532-254-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2564-247-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2564-228-0x00000000004C6E20-mapping.dmp

Download
memory/2564-252-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2564-208-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2564-202-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download