asyncrat | 463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

Resubmissions

27-01-2023 19:10

230127-xvglescg25 10

27-01-2023 17:57

230127-wjv41adg9z 10

27-01-2023 17:47

230127-wcvjwsdg7x 10

Analysis

max time kernel
600s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doge-Miner203.exe
Size

6.1MB
MD5

d7e6fd264bc937e3646de58e551a29db
SHA1

1db4664777b17e004f71cee4002f9ccc430413e4
SHA256

463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512

cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
SSDEEP

98304:tGFp32YKbG4vUdQUbSZ/I2jeYXyxd4494Wc9f:tEMbqQ5Z/pjVifXuT

Score

10^/10

asyncrat darkcomet warzonerat 1++dec_code111 1++dec_pure_1 new-july-july4-0 new-july-july4-02 collection infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

1++Dec_Code111

dgorijan20785.hopto.org:35799

Mutex

DC_MUTEX-LBKFSQL

Attributes

gencode
5RZrbWYF4XYM
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

dgorijan20785.hopto.org:5200

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

1++Dec_Pure_1

dgorijan20785.hopto.org:35799

Mutex

DC_MUTEX-JP69GTU

Attributes

gencode
ZrXR6g2JfYyE
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 54 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wincalc.exe.exe,"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/6764-328-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 26 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/720-296-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/720-299-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/720-300-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4876-312-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4876-316-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4876-320-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4260-324-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4260-326-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4876-327-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4260-329-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5264-352-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5348-363-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/4260-362-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1264-373-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5244-377-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4148-375-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5348-379-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5264-397-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5320-399-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/384-400-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/216-401-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1264-402-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4148-407-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/720-409-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5320-410-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/384-411-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 8 IoCs

Processes:

AUDIOPT.EXEAUDIOPT.EXEAddInProcess32.exeAddInProcess32.exeAddInProcess32.exeInstallUtil.exeInstallUtil.exeAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AddInProcess32.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AddInProcess32.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AddInProcess32.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Executes dropped EXE 64 IoCs

Processes:

notepad.exeCPUMON.EXEMSCALC.EXEUSBDRV.EXEWINLOGONS.EXEWINRARL.EXEwinnote.exeCPUMON.EXEMSCALC.EXEUSBDRV.EXEWINLOGONS.EXEwinnote.exeWINRARL.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEADOBESERV.EXEWINPLAY.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEADOBESERV.EXEAUDIOPT.EXEWINPLAY.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEDRVVIDEO.EXEDRVVIDEO.EXEAUDIOPT.EXEWINCPUL.EXEWINLOGONL.EXEwintsklt.exeWINPLAY.EXEDRVVIDEO.EXEDRVVIDEO.EXEAUDIOPT.EXEWINPLAY.EXEWINPLAY.EXEWINPLAY.EXEWINPLAY.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEWINLOGONL.EXEWINLOGONS.EXECPUMON.EXEWINLOGONS.EXECPUMON.EXEWINCPUL.EXEWINCPUL.EXEwintskl.exewintsklt.exewintskl.exewincalc.exe.exewincalc.exe.execalc.execalc.execalc.execalc.exe

pid	process
3960	notepad.exe
4512	CPUMON.EXE
3252	MSCALC.EXE
3452	USBDRV.EXE
3936	WINLOGONS.EXE
1280	WINRARL.EXE
5064	winnote.exe
1700	CPUMON.EXE
1612	MSCALC.EXE
3712	USBDRV.EXE
1252	WINLOGONS.EXE
3740	winnote.exe
4324	WINRARL.EXE
3468	ADOBESERV.EXE
4044	AUDIOPT.EXE
628	DRVVIDEO.EXE
4776	WINCPUL.EXE
1480	WINLOGONL.EXE
4048	ADOBESERV.EXE
2020	WINPLAY.EXE
4688	AUDIOPT.EXE
3508	DRVVIDEO.EXE
340	WINCPUL.EXE
4456	WINLOGONL.EXE
4368	ADOBESERV.EXE
3552	AUDIOPT.EXE
2576	WINPLAY.EXE
4928	DRVVIDEO.EXE
1020	WINCPUL.EXE
3412	WINLOGONL.EXE
1280	WINPLAY.EXE
3572	DRVVIDEO.EXE
720	DRVVIDEO.EXE
5092	AUDIOPT.EXE
4876	WINCPUL.EXE
4260	WINLOGONL.EXE
6504	wintsklt.exe
6764	WINPLAY.EXE
5492	DRVVIDEO.EXE
5264	DRVVIDEO.EXE
6644	AUDIOPT.EXE
7140	WINPLAY.EXE
5504	WINPLAY.EXE
5376	WINPLAY.EXE
5268	WINPLAY.EXE
5636	AUDIOPT.EXE
5244	WINLOGONL.EXE
1264	DRVVIDEO.EXE
4148	WINLOGONL.EXE
5348	WINLOGONS.EXE
5480	CPUMON.EXE
5320	WINLOGONS.EXE
6020	CPUMON.EXE
216	WINCPUL.EXE
384	WINCPUL.EXE
3352	wintskl.exe
6544	wintsklt.exe
6376	wintskl.exe
7036	wincalc.exe.exe
6428	wincalc.exe.exe
5900	calc.exe
5652	calc.exe
2744	calc.exe
3100	calc.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3884-150-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral2/memory/3884-152-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral2/memory/3884-153-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral2/memory/3884-154-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral2/memory/3884-208-0x0000000000400000-0x0000000000A0D000-memory.dmp	upx
behavioral2/memory/3276-212-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3276-214-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3276-216-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1304-235-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3276-232-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1304-275-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/3276-293-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/5092-303-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5092-305-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5092-306-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5092-307-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5092-309-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-315-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4916-318-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4916-319-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4916-322-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4272-340-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6644-342-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5636-367-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5884-368-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5480-364-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5480-378-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6020-390-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5288-398-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6580-408-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

notepad.exewinnote.exeWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEWINCPUL.EXEADOBESERV.EXEWINPLAY.EXEWINCPUL.EXEwincalc.exe.exeWINRARL.EXEAUDIOPT.EXEDRVVIDEO.EXEAUDIOPT.EXEWINLOGONL.EXEwintsklt.exewintskl.exeWINLOGONL.EXEWINPLAY.EXEWINRARL.EXEADOBESERV.EXEWINCPUL.EXEwincalc.exe.execalc.exeAUDIOPT.EXEDRVVIDEO.EXEWINPLAY.EXEDRVVIDEO.EXEcalc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	notepad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	winnote.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wincalc.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINRARL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINRARL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wincalc.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	calc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	calc.exe

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Loads dropped DLL 6 IoCs

Processes:

WINLOGONS.EXE

pid process

5348 WINLOGONS.EXE
5348 WINLOGONS.EXE
5348 WINLOGONS.EXE
5348 WINLOGONS.EXE
5348 WINLOGONS.EXE
5348 WINLOGONS.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5348	WINLOGONS.EXE
5348	WINLOGONS.EXE
5348	WINLOGONS.EXE
5348	WINLOGONS.EXE
5348	WINLOGONS.EXE
5348	WINLOGONS.EXE

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

WINLOGONS.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINRARL.EXEAUDIOPT.EXEWINLOGONL.EXEWINCPUL.EXEADOBESERV.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINRARL.EXEDRVVIDEO.EXEADOBESERV.EXEWINLOGONL.EXEWINLOGONL.EXEAUDIOPT.EXEADOBESERV.EXEAUDIOPT.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WINRARL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WINRARL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE

Suspicious use of SetThreadContext 36 IoCs

Processes:

notepad.exeWINRARL.EXEWINPLAY.EXEDRVVIDEO.EXEAUDIOPT.EXEWINCPUL.EXEADOBESERV.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEDRVVIDEO.EXEAUDIOPT.EXEWINPLAY.EXEAUDIOPT.EXEWINLOGONL.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEWINLOGONS.EXECPUMON.EXEUSBDRV.EXEWINLOGONS.EXECPUMON.EXEWINCPUL.EXEWINCPUL.EXEUSBDRV.EXEwintsklt.exewintskl.exewincalc.exe.exewincalc.exe.exe

description	pid	process	target process
PID 3960 set thread context of 3884	3960	notepad.exe	AddInProcess32.exe
PID 4324 set thread context of 3276	4324	WINRARL.EXE	InstallUtil.exe
PID 1280 set thread context of 1304	1280	WINPLAY.EXE	InstallUtil.exe
PID 628 set thread context of 720	628	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 4044 set thread context of 5092	4044	AUDIOPT.EXE	AUDIOPT.EXE
PID 4776 set thread context of 4876	4776	WINCPUL.EXE	WINCPUL.EXE
PID 3468 set thread context of 4916	3468	ADOBESERV.EXE	InstallUtil.exe
PID 1480 set thread context of 4260	1480	WINLOGONL.EXE	WINLOGONL.EXE
PID 2020 set thread context of 6764	2020	WINPLAY.EXE	WINPLAY.EXE
PID 4048 set thread context of 4272	4048	ADOBESERV.EXE	InstallUtil.exe
PID 3508 set thread context of 5264	3508	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 4688 set thread context of 6644	4688	AUDIOPT.EXE	AUDIOPT.EXE
PID 2576 set thread context of 5376	2576	WINPLAY.EXE	WINPLAY.EXE
PID 1280 set thread context of 5268	1280	WINPLAY.EXE	WINPLAY.EXE
PID 3552 set thread context of 5636	3552	AUDIOPT.EXE	AUDIOPT.EXE
PID 4456 set thread context of 5244	4456	WINLOGONL.EXE	WINLOGONL.EXE
PID 4368 set thread context of 5884	4368	ADOBESERV.EXE	InstallUtil.exe
PID 4928 set thread context of 1264	4928	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 3412 set thread context of 4148	3412	WINLOGONL.EXE	WINLOGONL.EXE
PID 3936 set thread context of 5348	3936	WINLOGONS.EXE	WINLOGONS.EXE
PID 4512 set thread context of 5480	4512	CPUMON.EXE	CPUMON.EXE
PID 3712 set thread context of 5288	3712	USBDRV.EXE	AddInProcess32.exe
PID 1252 set thread context of 5320	1252	WINLOGONS.EXE	WINLOGONS.EXE
PID 1700 set thread context of 6020	1700	CPUMON.EXE	CPUMON.EXE
PID 1020 set thread context of 216	1020	WINCPUL.EXE	WINCPUL.EXE
PID 340 set thread context of 384	340	WINCPUL.EXE	WINCPUL.EXE
PID 3452 set thread context of 6580	3452	USBDRV.EXE	AddInProcess32.exe
PID 6504 set thread context of 6544	6504	wintsklt.exe	wintsklt.exe
PID 3352 set thread context of 6376	3352	wintskl.exe	wintskl.exe
PID 7036 set thread context of 6472	7036	wincalc.exe.exe	InstallUtil.exe
PID 6428 set thread context of 6064	6428	wincalc.exe.exe	InstallUtil.exe
PID 6428 set thread context of 1624	6428	wincalc.exe.exe	InstallUtil.exe
PID 6428 set thread context of 340	6428	wincalc.exe.exe	InstallUtil.exe
PID 6428 set thread context of 976	6428	wincalc.exe.exe	InstallUtil.exe
PID 6428 set thread context of 5236	6428	wincalc.exe.exe	InstallUtil.exe
PID 6428 set thread context of 5500	6428	wincalc.exe.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3572 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2032 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
3572	schtasks.exe

pid	process
2032	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
6236	PING.EXE
2368	PING.EXE
2328	PING.EXE
2416	PING.EXE
6232	PING.EXE
5808	PING.EXE
6944	PING.EXE
5384	PING.EXE
5344	PING.EXE
2112	PING.EXE
2872	PING.EXE
2508	PING.EXE
4760	PING.EXE
3916	PING.EXE
3940	PING.EXE
2032	PING.EXE
5556	PING.EXE
3592	PING.EXE
6984	PING.EXE
3972	PING.EXE
3716	PING.EXE
2236	PING.EXE
7088	PING.EXE
1788	PING.EXE
2032	PING.EXE
3308	PING.EXE
5368	PING.EXE
2452	PING.EXE
5232	PING.EXE
4868	PING.EXE
5072	PING.EXE
4488	PING.EXE
4960	PING.EXE
6856	PING.EXE
3900	PING.EXE
1556	PING.EXE
7136	PING.EXE
4060	PING.EXE
6452	PING.EXE
5032	PING.EXE
3592	PING.EXE
6888	PING.EXE
6592	PING.EXE
6868	PING.EXE
2104	PING.EXE
2788	PING.EXE
5524	PING.EXE
2280	PING.EXE
1380	PING.EXE
6140	PING.EXE
6644	PING.EXE
2456	PING.EXE
6516	PING.EXE
6620	PING.EXE
5796	PING.EXE
5656	PING.EXE
2364	PING.EXE
3680	PING.EXE
948	PING.EXE
6656	PING.EXE
1576	PING.EXE
4380	PING.EXE
3132	PING.EXE
4884	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Doge-Miner203.exenotepad.exewinnote.exewinnote.exeUSBDRV.EXEMSCALC.EXECPUMON.EXEWINLOGONS.EXECPUMON.EXEUSBDRV.EXEMSCALC.EXEWINLOGONS.EXEpowershell.exepowershell.exe

pid	process
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
800	Doge-Miner203.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
3960	notepad.exe
5064	winnote.exe
3740	winnote.exe
3740	winnote.exe
3740	winnote.exe
3452	USBDRV.EXE
3252	MSCALC.EXE
4512	CPUMON.EXE
3936	WINLOGONS.EXE
3960	notepad.exe
3252	MSCALC.EXE
3252	MSCALC.EXE
3252	MSCALC.EXE
3936	WINLOGONS.EXE
3452	USBDRV.EXE
4512	CPUMON.EXE
1700	CPUMON.EXE
3712	USBDRV.EXE
3960	notepad.exe
1612	MSCALC.EXE
3960	notepad.exe
1252	WINLOGONS.EXE
3712	USBDRV.EXE
1612	MSCALC.EXE
1612	MSCALC.EXE
1612	MSCALC.EXE
1700	CPUMON.EXE
2640	powershell.exe
1264	powershell.exe
1264	powershell.exe
1252	WINLOGONS.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

InstallUtil.exeCPUMON.EXE

pid process

4916 InstallUtil.exe
5480 CPUMON.EXE

pid	process
4916	InstallUtil.exe
5480	CPUMON.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Doge-Miner203.exenotepad.exeAddInProcess32.exeMSCALC.EXECPUMON.EXEUSBDRV.EXEWINLOGONS.EXEwinnote.exeCPUMON.EXEMSCALC.EXEwinnote.exeUSBDRV.EXEWINLOGONS.EXEpowershell.exepowershell.exeWINRARL.EXEWINRARL.EXEInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	800	Doge-Miner203.exe
Token: SeDebugPrivilege	3960	notepad.exe
Token: SeIncreaseQuotaPrivilege	3884	AddInProcess32.exe
Token: SeSecurityPrivilege	3884	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	3884	AddInProcess32.exe
Token: SeLoadDriverPrivilege	3884	AddInProcess32.exe
Token: SeSystemProfilePrivilege	3884	AddInProcess32.exe
Token: SeSystemtimePrivilege	3884	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	3884	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	3884	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	3884	AddInProcess32.exe
Token: SeBackupPrivilege	3884	AddInProcess32.exe
Token: SeRestorePrivilege	3884	AddInProcess32.exe
Token: SeShutdownPrivilege	3884	AddInProcess32.exe
Token: SeDebugPrivilege	3884	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	3884	AddInProcess32.exe
Token: SeChangeNotifyPrivilege	3884	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	3884	AddInProcess32.exe
Token: SeUndockPrivilege	3884	AddInProcess32.exe
Token: SeManageVolumePrivilege	3884	AddInProcess32.exe
Token: SeImpersonatePrivilege	3884	AddInProcess32.exe
Token: SeCreateGlobalPrivilege	3884	AddInProcess32.exe
Token: 33	3884	AddInProcess32.exe
Token: 34	3884	AddInProcess32.exe
Token: 35	3884	AddInProcess32.exe
Token: 36	3884	AddInProcess32.exe
Token: SeDebugPrivilege	3252	MSCALC.EXE
Token: SeDebugPrivilege	4512	CPUMON.EXE
Token: SeDebugPrivilege	3452	USBDRV.EXE
Token: SeDebugPrivilege	3936	WINLOGONS.EXE
Token: SeDebugPrivilege	5064	winnote.exe
Token: SeDebugPrivilege	1700	CPUMON.EXE
Token: SeDebugPrivilege	1612	MSCALC.EXE
Token: SeDebugPrivilege	3740	winnote.exe
Token: SeDebugPrivilege	3712	USBDRV.EXE
Token: SeDebugPrivilege	1252	WINLOGONS.EXE
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	4324	WINRARL.EXE
Token: SeDebugPrivilege	1280	WINRARL.EXE
Token: SeIncreaseQuotaPrivilege	3276	InstallUtil.exe
Token: SeSecurityPrivilege	3276	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	3276	InstallUtil.exe
Token: SeLoadDriverPrivilege	3276	InstallUtil.exe
Token: SeSystemProfilePrivilege	3276	InstallUtil.exe
Token: SeSystemtimePrivilege	3276	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	3276	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3276	InstallUtil.exe
Token: SeCreatePagefilePrivilege	3276	InstallUtil.exe
Token: SeBackupPrivilege	3276	InstallUtil.exe
Token: SeRestorePrivilege	3276	InstallUtil.exe
Token: SeShutdownPrivilege	3276	InstallUtil.exe
Token: SeDebugPrivilege	3276	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	3276	InstallUtil.exe
Token: SeChangeNotifyPrivilege	3276	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	3276	InstallUtil.exe
Token: SeUndockPrivilege	3276	InstallUtil.exe
Token: SeManageVolumePrivilege	3276	InstallUtil.exe
Token: SeImpersonatePrivilege	3276	InstallUtil.exe
Token: SeCreateGlobalPrivilege	3276	InstallUtil.exe
Token: 33	3276	InstallUtil.exe
Token: 34	3276	InstallUtil.exe
Token: 35	3276	InstallUtil.exe
Token: 36	3276	InstallUtil.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AddInProcess32.exeInstallUtil.exeAUDIOPT.EXEInstallUtil.exeCPUMON.EXEAddInProcess32.exeWINLOGONS.EXE

pid process

3884 AddInProcess32.exe
3276 InstallUtil.exe
5092 AUDIOPT.EXE
4916 InstallUtil.exe
5480 CPUMON.EXE
5288 AddInProcess32.exe
5348 WINLOGONS.EXE

pid	process
3884	AddInProcess32.exe
3276	InstallUtil.exe
5092	AUDIOPT.EXE
4916	InstallUtil.exe
5480	CPUMON.EXE
5288	AddInProcess32.exe
5348	WINLOGONS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Doge-Miner203.execmd.execmd.exenotepad.exeAddInProcess32.exe

description	pid	process	target process
PID 800 wrote to memory of 216	800	Doge-Miner203.exe	cmd.exe
PID 800 wrote to memory of 216	800	Doge-Miner203.exe	cmd.exe
PID 800 wrote to memory of 216	800	Doge-Miner203.exe	cmd.exe
PID 216 wrote to memory of 2328	216	cmd.exe	PING.EXE
PID 216 wrote to memory of 2328	216	cmd.exe	PING.EXE
PID 216 wrote to memory of 2328	216	cmd.exe	PING.EXE
PID 800 wrote to memory of 1920	800	Doge-Miner203.exe	cmd.exe
PID 800 wrote to memory of 1920	800	Doge-Miner203.exe	cmd.exe
PID 800 wrote to memory of 1920	800	Doge-Miner203.exe	cmd.exe
PID 1920 wrote to memory of 2872	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 2872	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 2872	1920	cmd.exe	PING.EXE
PID 216 wrote to memory of 3848	216	cmd.exe	reg.exe
PID 216 wrote to memory of 3848	216	cmd.exe	reg.exe
PID 216 wrote to memory of 3848	216	cmd.exe	reg.exe
PID 1920 wrote to memory of 5032	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 5032	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 5032	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 3960	1920	cmd.exe	notepad.exe
PID 1920 wrote to memory of 3960	1920	cmd.exe	notepad.exe
PID 1920 wrote to memory of 3960	1920	cmd.exe	notepad.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3752	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 2380	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3960 wrote to memory of 3884	3960	notepad.exe	AddInProcess32.exe
PID 3884 wrote to memory of 4512	3884	AddInProcess32.exe	CPUMON.EXE
PID 3884 wrote to memory of 4512	3884	AddInProcess32.exe	CPUMON.EXE
PID 3884 wrote to memory of 4512	3884	AddInProcess32.exe	CPUMON.EXE
PID 3884 wrote to memory of 3252	3884	AddInProcess32.exe	MSCALC.EXE
PID 3884 wrote to memory of 3252	3884	AddInProcess32.exe	MSCALC.EXE
PID 3884 wrote to memory of 3252	3884	AddInProcess32.exe	MSCALC.EXE
PID 3884 wrote to memory of 3452	3884	AddInProcess32.exe	USBDRV.EXE
PID 3884 wrote to memory of 3452	3884	AddInProcess32.exe	USBDRV.EXE
PID 3884 wrote to memory of 3452	3884	AddInProcess32.exe	USBDRV.EXE
PID 3884 wrote to memory of 3936	3884	AddInProcess32.exe	WINLOGONS.EXE
PID 3884 wrote to memory of 3936	3884	AddInProcess32.exe	WINLOGONS.EXE
PID 3884 wrote to memory of 3936	3884	AddInProcess32.exe	WINLOGONS.EXE
PID 3884 wrote to memory of 1280	3884	AddInProcess32.exe	WINRARL.EXE
PID 3884 wrote to memory of 1280	3884	AddInProcess32.exe	WINRARL.EXE
PID 3884 wrote to memory of 1280	3884	AddInProcess32.exe	WINRARL.EXE
PID 3960 wrote to memory of 5064	3960	notepad.exe	winnote.exe
PID 3960 wrote to memory of 5064	3960	notepad.exe	winnote.exe
PID 3960 wrote to memory of 5064	3960	notepad.exe	winnote.exe
PID 3884 wrote to memory of 1700	3884	AddInProcess32.exe	CPUMON.EXE
PID 3884 wrote to memory of 1700	3884	AddInProcess32.exe	CPUMON.EXE
PID 3884 wrote to memory of 1700	3884	AddInProcess32.exe	CPUMON.EXE
PID 3884 wrote to memory of 1612	3884	AddInProcess32.exe	MSCALC.EXE

outlook_office_path 1 IoCs

Processes:

WINLOGONS.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE

outlook_win_path 1 IoCs

Processes:

WINLOGONS.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WINLOGONS.EXE

C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe
"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 38
    3⤵
    - Runs ping.exe
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - Runs ping.exe
    PID:2872
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - Runs ping.exe
    PID:5032
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Drops file in Drivers directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:5392
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Drops file in Drivers directory
        
        PID:6580
    - - C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        6⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        7⤵
        Runs ping.exe
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:6060
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"
        6⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        7⤵
        Runs ping.exe
        
        PID:6516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        7⤵
        Runs ping.exe
        
        PID:5524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:7036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\calc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calc.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\calc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calc.exe"
        9⤵
        Executes dropped EXE
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        Runs ping.exe
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        Runs ping.exe
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        Runs ping.exe
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        Runs ping.exe
        
        PID:5656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:7088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        Runs ping.exe
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:6836
    - - C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:4788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:1960
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Drops file in Drivers directory
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        8⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        8⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        8⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        8⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        8⤵
        Executes dropped EXE
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        8⤵
        Executes dropped EXE
        
        PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"
        6⤵
        Executes dropped EXE
        
        PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        6⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        7⤵
        Runs ping.exe
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:7164
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"
        6⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        7⤵
        Runs ping.exe
        
        PID:6620
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        7⤵
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:6428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:5128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\calc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calc.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\calc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calc.exe"
        9⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:5556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:5164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        Runs ping.exe
        
        PID:6888
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:6656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:7136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:6232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        Runs ping.exe
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        Runs ping.exe
        
        PID:6644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        Runs ping.exe
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        Runs ping.exe
        
        PID:6944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:5368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:5344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        9⤵
        Runs ping.exe
        
        PID:6452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        9⤵
        Runs ping.exe
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:6140
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:6656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        9⤵
        Runs ping.exe
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        9⤵
        Modifies WinLogon for persistence
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        9⤵
        Runs ping.exe
        
        PID:6984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"
        8⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        9⤵
        Runs ping.exe
        
        PID:3716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Drops file in Drivers directory
        Suspicious use of SetWindowsHookEx
        
        PID:5288
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"
        6⤵
        Executes dropped EXE
        
        PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Drops file in Drivers directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        8⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        8⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        8⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        8⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        8⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp831C.tmp.bat""
        9⤵
        
        PID:920
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        11⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        11⤵
        Executes dropped EXE
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        8⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        NTFS ADS
        
        PID:4876
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:6504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        10⤵
        
        PID:3176
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        10⤵
        Executes dropped EXE
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        8⤵
        
        PID:5052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        8⤵
        
        PID:5296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        8⤵
        
        PID:408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        8⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        8⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        8⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        8⤵
        Executes dropped EXE
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        8⤵
        Executes dropped EXE
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        8⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        8⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\winnote.exe
      "C:\Users\Admin\AppData\Local\Temp\winnote.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\winnote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winnote.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:6920
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        5⤵
        Runs ping.exe
        
        PID:3680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:6228
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        5⤵
        Runs ping.exe
        
        PID:3132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:7000
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:5812
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        5⤵
        Runs ping.exe
        
        PID:6856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:6484
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        5⤵
        Runs ping.exe
        
        PID:948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:6052
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:428
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        5⤵
        Runs ping.exe
        
        PID:4884
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:6272
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:2528
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        5⤵
        Runs ping.exe
        
        PID:5796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:3448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 36
        5⤵
        Runs ping.exe
        
        PID:2416
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        5⤵
        Runs ping.exe
        
        PID:5232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:6220
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        5⤵
        Runs ping.exe
        
        PID:4868
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        5⤵
        Runs ping.exe
        
        PID:5808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:4248
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        5⤵
        Runs ping.exe
        
        PID:6236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4144
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
        5⤵
        Modifies WinLogon for persistence
        
        PID:5488
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 35
        5⤵
        Runs ping.exe
        
        PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:6596
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        5⤵
        Runs ping.exe
        
        PID:6592
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        5⤵
        Runs ping.exe
        
        PID:6868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSCALC.EXE.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINRARL.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe

Filesize
6.1MB

MD5
d7e6fd264bc937e3646de58e551a29db

SHA1
1db4664777b17e004f71cee4002f9ccc430413e4

SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe

Filesize
6.1MB

MD5
d7e6fd264bc937e3646de58e551a29db

SHA1
1db4664777b17e004f71cee4002f9ccc430413e4

SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
4ccf9b36a34ec10d277a8f80f7018af9

SHA1
4e72e6371f9da5d7e50134705a0f5493d06f2959

SHA256
b4ae420de95cb94fe1321ab400be534dd836766f7e215a812c38ce1e0fc5c8b8

SHA512
7d46f59a96eb39e493b50a9189d3e1250f10743b4bab707c4c61851c05d5ad4661a51db0f08b1becef3c22810e73b16a80d30f0e5a131a11b30fc971b28a3cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
14b0de220a43e4594934462465dba7d3

SHA1
f906e8d7fe5ce8fecd3c91af4547a22b5263c8d7

SHA256
4bf190eb5672e3d7fb2b0d0cb1da48e200de307d94b4c65429a29def9081e98f

SHA512
20f211d801c529a90db241c24cfba88184ea20ef5793f0fef5f1390343a51096bfe916df9c6241a38ad0215e3838a29c996a84fe31e99323c24ac34a506e1795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
7140c03056ce91125d50e60a7fc68ff6

SHA1
c7a0197691fc849068a9c182545fc60469ee8364

SHA256
94bb3ca0074058655835e550ace7e54e4e9a219a1e36c99baa22f3a84d1c9a74

SHA512
43024cf683d9281483117d5282969499a9e87bc56e7e55bca4fbf7a618f9dce84b9762fbc7316c016fd20ec852477e3041c4463ce88552fb011e377c8739f779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
81f6ff47ad63e370c1277a959c190ae5

SHA1
54e3ee4edebde1ff54daab840b9925e49df8dd62

SHA256
c6055e6f18b1c76e8d4462dd407efc5611b8ad3043ddedba55a5c5d2519f4fb1

SHA512
20489c98a7e07cebb41c45648014a897a4a2352cf911ea2baf1af37ce4bb46a9168b3d6ae9b1c452ba3a2b54c8397992677777e99953ed4d7350819fa33e174f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
528B

MD5
c2be0f60f301d135da1f58043b3100f4

SHA1
24944ac5f62fbb4446ce31795a17d6d3897d76e6

SHA256
98f4ebd2dcc793cefcb7129ba9bab7746be854d91e9ebc5453762addf6e45391

SHA512
8cc4a26dc0998a282667da8e7f3a8e65c6875ce0136b2841a4a69cd07a436bc022836b54acf9338b2323690ce24b7433ce9ea86114425a27d5584cfe266d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

Filesize
1.5MB

MD5
76ffa2a4e9e69492a0f938dfd5c1e35f

SHA1
d84990e27fae5197ea02216d83c983c93eb93ad5

SHA256
b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476

SHA512
66ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

Filesize
455KB

MD5
7b6c81fb81040406d3bb5eea00a1fb59

SHA1
4563ed422e8103e50572646bc7b87a0aee2f5832

SHA256
a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef

SHA512
8695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
655KB

MD5
1bb0d863a7b205323d17dcb497a51431

SHA1
76b137c4b913891bdba2a764349d7ccefcef9832

SHA256
13dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df

SHA512
c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

Filesize
566KB

MD5
8e8ef744cf8dd267c3059f748f2ae16a

SHA1
7e1268dfbd26c536b262bb88d5f803261cc016f5

SHA256
f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9

SHA512
c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.txt

Filesize
84B

MD5
c8cabb6b54616a0662e0ef1c5ccef1eb

SHA1
cf2d9cf73c3697b2f328c48bd623a57299b643f0

SHA256
c3081001c15152e7a052c4b6af5a60c152796fb462fcd567aba081b1f3e3ad14

SHA512
94befd3b09854c5ae84f4c55b0541c1d10fba496364bbdacc6668a4e5b15a337c0bd9788befc1967aaf9b4954d1235c082111b8e463e909849f361106d63dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.txt

Filesize
84B

MD5
c8cabb6b54616a0662e0ef1c5ccef1eb

SHA1
cf2d9cf73c3697b2f328c48bd623a57299b643f0

SHA256
c3081001c15152e7a052c4b6af5a60c152796fb462fcd567aba081b1f3e3ad14

SHA512
94befd3b09854c5ae84f4c55b0541c1d10fba496364bbdacc6668a4e5b15a337c0bd9788befc1967aaf9b4954d1235c082111b8e463e909849f361106d63dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\winnote.txt

Filesize
84B

MD5
1a3bcea083720d0c48b4cfdab9e4b0f0

SHA1
9277f357f6cac57c3b104a0bbc798442c814aa3d

SHA256
040efd1eb920457963410e90a20f074f542cf3edf23ec9e8f006fd372f3f3972

SHA512
be83082194cc43232a9e470228a106991d42e3c081092f222415f91a6c3997534f3cc18c3dacf9edb3967dbf506a95f5fb41216b8f4767295bff7b22ca8692f1

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/216-401-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/216-137-0x0000000000000000-mapping.dmp

Download
memory/340-259-0x0000000000000000-mapping.dmp

Download
memory/384-400-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/384-411-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/628-239-0x0000000000C60000-0x0000000000CE6000-memory.dmp

Filesize
536KB

Download
memory/628-231-0x0000000000000000-mapping.dmp

Download
memory/720-300-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/720-299-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/720-296-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/720-409-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/800-134-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/800-136-0x000000000C6C0000-0x000000000C6CA000-memory.dmp

Filesize
40KB

Download
memory/800-135-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

Filesize
624KB

Download
memory/800-132-0x0000000000B80000-0x000000000119A000-memory.dmp

Filesize
6.1MB

Download
memory/800-133-0x0000000006250000-0x00000000067F4000-memory.dmp

Filesize
5.6MB

Download
memory/912-257-0x0000000000000000-mapping.dmp

Download
memory/1020-272-0x0000000000000000-mapping.dmp

Download
memory/1252-186-0x0000000000000000-mapping.dmp

Download
memory/1264-273-0x0000000000000000-mapping.dmp

Download
memory/1264-203-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/1264-373-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1264-198-0x0000000000000000-mapping.dmp

Download
memory/1264-402-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1264-206-0x0000000007A90000-0x000000000810A000-memory.dmp

Filesize
6.5MB

Download
memory/1264-205-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/1280-170-0x0000000000000000-mapping.dmp

Download
memory/1280-174-0x0000000000FF0000-0x000000000121A000-memory.dmp

Filesize
2.2MB

Download
memory/1280-278-0x0000000000000000-mapping.dmp

Download
memory/1288-200-0x0000000000000000-mapping.dmp

Download
memory/1304-217-0x0000000000000000-mapping.dmp

Download
memory/1304-235-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1304-275-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1480-243-0x0000000000000000-mapping.dmp

Download
memory/1480-250-0x0000000000120000-0x00000000001A6000-memory.dmp

Filesize
536KB

Download
memory/1612-182-0x0000000000000000-mapping.dmp

Download
memory/1700-179-0x0000000000000000-mapping.dmp

Download
memory/1920-139-0x0000000000000000-mapping.dmp

Download
memory/1936-284-0x0000000000000000-mapping.dmp

Download
memory/1960-215-0x0000000000000000-mapping.dmp

Download
memory/1984-283-0x0000000000000000-mapping.dmp

Download
memory/2020-248-0x0000000000000000-mapping.dmp

Download
memory/2020-256-0x00000000008A0000-0x000000000091C000-memory.dmp

Filesize
496KB

Download
memory/2164-195-0x0000000000000000-mapping.dmp

Download
memory/2328-138-0x0000000000000000-mapping.dmp

Download
memory/2380-148-0x0000000000000000-mapping.dmp

Download
memory/2576-266-0x0000000000000000-mapping.dmp

Download
memory/2640-201-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/2640-193-0x0000000000000000-mapping.dmp

Download
memory/2640-196-0x00000000027E0000-0x0000000002816000-memory.dmp

Filesize
216KB

Download
memory/2640-207-0x0000000006260000-0x000000000627A000-memory.dmp

Filesize
104KB

Download
memory/2640-199-0x00000000050F0000-0x0000000005718000-memory.dmp

Filesize
6.2MB

Download
memory/2640-202-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/2872-140-0x0000000000000000-mapping.dmp

Download
memory/3252-162-0x0000000000ED0000-0x0000000000F48000-memory.dmp

Filesize
480KB

Download
memory/3252-158-0x0000000000000000-mapping.dmp

Download
memory/3276-216-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3276-293-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3276-214-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3276-212-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3276-210-0x0000000000000000-mapping.dmp

Download
memory/3276-232-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/3308-258-0x0000000000000000-mapping.dmp

Download
memory/3412-276-0x0000000000000000-mapping.dmp

Download
memory/3452-161-0x0000000000000000-mapping.dmp

Download
memory/3452-169-0x0000000000FC0000-0x0000000001068000-memory.dmp

Filesize
672KB

Download
memory/3468-228-0x00000000000B0000-0x00000000001AA000-memory.dmp

Filesize
1000KB

Download
memory/3468-221-0x0000000000000000-mapping.dmp

Download
memory/3508-251-0x0000000000000000-mapping.dmp

Download
memory/3552-263-0x0000000000000000-mapping.dmp

Download
memory/3712-184-0x0000000000000000-mapping.dmp

Download
memory/3716-282-0x0000000000000000-mapping.dmp

Download
memory/3740-187-0x0000000000000000-mapping.dmp

Download
memory/3752-147-0x0000000000000000-mapping.dmp

Download
memory/3848-141-0x0000000000000000-mapping.dmp

Download
memory/3884-154-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/3884-153-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/3884-152-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/3884-150-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/3884-149-0x0000000000000000-mapping.dmp

Download
memory/3884-208-0x0000000000400000-0x0000000000A0D000-memory.dmp

Filesize
6.1MB

Download
memory/3936-173-0x0000000000DB0000-0x0000000000E44000-memory.dmp

Filesize
592KB

Download
memory/3936-166-0x0000000000000000-mapping.dmp

Download
memory/3960-146-0x00000000005B0000-0x0000000000BCA000-memory.dmp

Filesize
6.1MB

Download
memory/3960-143-0x0000000000000000-mapping.dmp

Download
memory/4044-234-0x0000000000680000-0x0000000000738000-memory.dmp

Filesize
736KB

Download
memory/4044-227-0x0000000000000000-mapping.dmp

Download
memory/4048-242-0x0000000000000000-mapping.dmp

Download
memory/4148-407-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4148-375-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4212-269-0x0000000000000000-mapping.dmp

Download
memory/4260-324-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4260-329-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4260-326-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4260-362-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4272-340-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4324-191-0x0000000000000000-mapping.dmp

Download
memory/4368-261-0x0000000000000000-mapping.dmp

Download
memory/4456-260-0x0000000000000000-mapping.dmp

Download
memory/4488-197-0x0000000000000000-mapping.dmp

Download
memory/4512-155-0x0000000000000000-mapping.dmp

Download
memory/4512-163-0x0000000000F40000-0x00000000010CC000-memory.dmp

Filesize
1.5MB

Download
memory/4688-249-0x0000000000000000-mapping.dmp

Download
memory/4776-244-0x0000000000480000-0x0000000000508000-memory.dmp

Filesize
544KB

Download
memory/4776-238-0x0000000000000000-mapping.dmp

Download
memory/4788-211-0x0000000000000000-mapping.dmp

Download
memory/4876-320-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4876-316-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4876-327-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4876-312-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4916-322-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4916-315-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4916-319-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4916-318-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4916-323-0x000000006BEA0000-0x000000006BED9000-memory.dmp

Filesize
228KB

Download
memory/4928-267-0x0000000000000000-mapping.dmp

Download
memory/4956-277-0x0000000000000000-mapping.dmp

Download
memory/4960-204-0x0000000000000000-mapping.dmp

Download
memory/5032-142-0x0000000000000000-mapping.dmp

Download
memory/5064-178-0x0000000000BF0000-0x0000000000C0A000-memory.dmp

Filesize
104KB

Download
memory/5064-175-0x0000000000000000-mapping.dmp

Download
memory/5092-306-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5092-309-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5092-303-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5092-305-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5092-307-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5244-377-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5264-352-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5264-397-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5280-285-0x0000000000000000-mapping.dmp

Download
memory/5288-398-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5320-410-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5320-399-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5332-286-0x0000000000000000-mapping.dmp

Download
memory/5348-379-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5348-287-0x0000000000000000-mapping.dmp

Download
memory/5348-363-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5348-415-0x000000000AB80000-0x000000000AD20000-memory.dmp

Filesize
1.6MB

Download
memory/5392-288-0x0000000000000000-mapping.dmp

Download
memory/5480-378-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5480-364-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5480-382-0x000000006BEA0000-0x000000006BED9000-memory.dmp

Filesize
228KB

Download
memory/5564-289-0x0000000000000000-mapping.dmp

Download
memory/5588-290-0x0000000000000000-mapping.dmp

Download
memory/5636-367-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5884-368-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6020-390-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6580-408-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6644-342-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6720-301-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/6764-328-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download