asyncrat | 1a2d91d4583245bfd63a9b9da90337ba7d4527482c59e26225403500a5cd5379

Resubmissions

21-02-2024 19:45

240221-ygpwbaed6y 10

21-02-2024 19:44

240221-yga26aeh56 3

Analysis

max time kernel
47s
max time network
171s
platform
windows7_x64
resource
win7-20240215-en
submitted
21-02-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8/PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 null discovery infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1584-231-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1584-232-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1584-233-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1584-234-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1584-237-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1584-241-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Executes dropped EXE 16 IoCs

pid	Process
2868	ADOBESERV.EXE
2316	AUDIOPT.EXE
2732	DRVVIDEO.EXE
1572	WINCPUL.EXE
1616	WINLOGONL.EXE
2368	WINPLAY.EXE
2204	ADOBESERV.EXE
2236	DRVVIDEO.EXE
1896	WINPLAY.EXE
2208	WINCPUL.EXE
1924	WINLOGONL.EXE
3004	AUDIOPT.EXE
1704	AUDIOPT.EXE
2964	WINCPUL.EXE
1740	WINCPUL.EXE
1584	WINCPUL.EXE

Loads dropped DLL 16 IoCs

pid	Process
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2560	InstallUtil.exe
2316	AUDIOPT.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 2316 set thread context of 1704	2316	AUDIOPT.EXE	67
PID 1572 set thread context of 1584	1572	WINCPUL.EXE	69

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-17-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-22-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-25-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-26-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-27-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-111-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-114-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2560-152-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1704-204-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-206-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-209-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-211-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-213-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-214-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-215-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-219-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1704-220-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2316-287-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2316-293-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
320	2316	WerFault.exe	72
680	1688	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADOBESERV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINPLAY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGONL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRVVIDEO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRVVIDEO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGONL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINCPUL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADOBESERV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINPLAY.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUDIOPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
844	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2972	powershell.exe
1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
1760	powershell.exe
1936	powershell.exe
3052	powershell.exe
108	powershell.exe
1472	powershell.exe
1708	powershell.exe
332	powershell.exe
1852	powershell.exe
1420	powershell.exe
880	powershell.exe
956	powershell.exe
3060	powershell.exe
2316	AUDIOPT.EXE
2316	AUDIOPT.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE
1572	WINCPUL.EXE

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
Token: SeIncreaseQuotaPrivilege	2560	InstallUtil.exe
Token: SeSecurityPrivilege	2560	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2560	InstallUtil.exe
Token: SeLoadDriverPrivilege	2560	InstallUtil.exe
Token: SeSystemProfilePrivilege	2560	InstallUtil.exe
Token: SeSystemtimePrivilege	2560	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2560	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2560	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2560	InstallUtil.exe
Token: SeBackupPrivilege	2560	InstallUtil.exe
Token: SeRestorePrivilege	2560	InstallUtil.exe
Token: SeShutdownPrivilege	2560	InstallUtil.exe
Token: SeDebugPrivilege	2560	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2560	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2560	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2560	InstallUtil.exe
Token: SeUndockPrivilege	2560	InstallUtil.exe
Token: SeManageVolumePrivilege	2560	InstallUtil.exe
Token: SeImpersonatePrivilege	2560	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2560	InstallUtil.exe
Token: 33	2560	InstallUtil.exe
Token: 34	2560	InstallUtil.exe
Token: 35	2560	InstallUtil.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2316	AUDIOPT.EXE
Token: SeIncreaseQuotaPrivilege	1704	AUDIOPT.EXE
Token: SeSecurityPrivilege	1704	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	1704	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	1704	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	1704	AUDIOPT.EXE
Token: SeSystemtimePrivilege	1704	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	1704	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	1704	AUDIOPT.EXE
Token: SeCreatePagefilePrivilege	1704	AUDIOPT.EXE
Token: SeBackupPrivilege	1704	AUDIOPT.EXE
Token: SeRestorePrivilege	1704	AUDIOPT.EXE
Token: SeShutdownPrivilege	1704	AUDIOPT.EXE
Token: SeDebugPrivilege	1704	AUDIOPT.EXE
Token: SeSystemEnvironmentPrivilege	1704	AUDIOPT.EXE
Token: SeChangeNotifyPrivilege	1704	AUDIOPT.EXE
Token: SeRemoteShutdownPrivilege	1704	AUDIOPT.EXE
Token: SeUndockPrivilege	1704	AUDIOPT.EXE
Token: SeManageVolumePrivilege	1704	AUDIOPT.EXE
Token: SeImpersonatePrivilege	1704	AUDIOPT.EXE
Token: SeCreateGlobalPrivilege	1704	AUDIOPT.EXE
Token: 33	1704	AUDIOPT.EXE
Token: 34	1704	AUDIOPT.EXE
Token: 35	1704	AUDIOPT.EXE
Token: SeDebugPrivilege	1572	WINCPUL.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2560	InstallUtil.exe
1704	AUDIOPT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2972	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	28
PID 1956 wrote to memory of 2972	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	28
PID 1956 wrote to memory of 2972	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	28
PID 1956 wrote to memory of 2972	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	28
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 1956 wrote to memory of 2560	1956	PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr	30
PID 2560 wrote to memory of 2868	2560	InstallUtil.exe	31
PID 2560 wrote to memory of 2868	2560	InstallUtil.exe	31
PID 2560 wrote to memory of 2868	2560	InstallUtil.exe	31
PID 2560 wrote to memory of 2868	2560	InstallUtil.exe	31
PID 2560 wrote to memory of 2316	2560	InstallUtil.exe	32
PID 2560 wrote to memory of 2316	2560	InstallUtil.exe	32
PID 2560 wrote to memory of 2316	2560	InstallUtil.exe	32
PID 2560 wrote to memory of 2316	2560	InstallUtil.exe	32
PID 2560 wrote to memory of 2732	2560	InstallUtil.exe	66
PID 2560 wrote to memory of 2732	2560	InstallUtil.exe	66
PID 2560 wrote to memory of 2732	2560	InstallUtil.exe	66
PID 2560 wrote to memory of 2732	2560	InstallUtil.exe	66
PID 2316 wrote to memory of 1760	2316	AUDIOPT.EXE	65
PID 2316 wrote to memory of 1760	2316	AUDIOPT.EXE	65
PID 2316 wrote to memory of 1760	2316	AUDIOPT.EXE	65
PID 2316 wrote to memory of 1760	2316	AUDIOPT.EXE	65
PID 2560 wrote to memory of 1572	2560	InstallUtil.exe	63
PID 2560 wrote to memory of 1572	2560	InstallUtil.exe	63
PID 2560 wrote to memory of 1572	2560	InstallUtil.exe	63
PID 2560 wrote to memory of 1572	2560	InstallUtil.exe	63
PID 2560 wrote to memory of 1616	2560	InstallUtil.exe	33
PID 2560 wrote to memory of 1616	2560	InstallUtil.exe	33
PID 2560 wrote to memory of 1616	2560	InstallUtil.exe	33
PID 2560 wrote to memory of 1616	2560	InstallUtil.exe	33
PID 2560 wrote to memory of 2368	2560	InstallUtil.exe	34
PID 2560 wrote to memory of 2368	2560	InstallUtil.exe	34
PID 2560 wrote to memory of 2368	2560	InstallUtil.exe	34
PID 2560 wrote to memory of 2368	2560	InstallUtil.exe	34
PID 1572 wrote to memory of 1936	1572	WINCPUL.EXE	62
PID 1572 wrote to memory of 1936	1572	WINCPUL.EXE	62
PID 1572 wrote to memory of 1936	1572	WINCPUL.EXE	62
PID 1572 wrote to memory of 1936	1572	WINCPUL.EXE	62
PID 2560 wrote to memory of 2204	2560	InstallUtil.exe	61
PID 2560 wrote to memory of 2204	2560	InstallUtil.exe	61
PID 2560 wrote to memory of 2204	2560	InstallUtil.exe	61
PID 2560 wrote to memory of 2204	2560	InstallUtil.exe	61
PID 2560 wrote to memory of 3004	2560	InstallUtil.exe	60
PID 2560 wrote to memory of 3004	2560	InstallUtil.exe	60
PID 2560 wrote to memory of 3004	2560	InstallUtil.exe	60
PID 2560 wrote to memory of 3004	2560	InstallUtil.exe	60
PID 2560 wrote to memory of 2236	2560	InstallUtil.exe	59
PID 2560 wrote to memory of 2236	2560	InstallUtil.exe	59
PID 2560 wrote to memory of 2236	2560	InstallUtil.exe	59
PID 2560 wrote to memory of 2236	2560	InstallUtil.exe	59
PID 2560 wrote to memory of 2208	2560	InstallUtil.exe	58
PID 2560 wrote to memory of 2208	2560	InstallUtil.exe	58
PID 2560 wrote to memory of 2208	2560	InstallUtil.exe	58
PID 2560 wrote to memory of 2208	2560	InstallUtil.exe	58
PID 2560 wrote to memory of 1924	2560	InstallUtil.exe	57

C:\Users\Admin\AppData\Local\Temp\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr
"C:\Users\Admin\AppData\Local\Temp\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8\PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
    "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:2316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 220
        5⤵
        Program crash
        
        PID:320
- - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
    "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1704
- - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:348
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:324
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      4⤵
      PID:1424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB625.tmp.bat""
        5⤵
        
        PID:2420
      - C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        6⤵
        
        PID:940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        7⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        7⤵
        
        PID:348
- - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
      4⤵
      PID:1300
- - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
      4⤵
      PID:2428
- - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      4⤵
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
    "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
    "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
      4⤵
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
    "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      4⤵
      Executes dropped EXE
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
      4⤵
      Executes dropped EXE
      PID:1740
- - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
    "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
      4⤵
      PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2396

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
1⤵
PID:2408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  PID:2716
- C:\Users\Admin\Documents\wintsklt.exe
  C:\Users\Admin\Documents\wintsklt.exe
  2⤵
  PID:2484
- C:\Users\Admin\Documents\wintsklt.exe
  C:\Users\Admin\Documents\wintsklt.exe
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 200
    3⤵
    - Program crash
    PID:680

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB625.tmp.bat

Filesize
151B

MD5
c3b6bc5f937d526e984784c4f0208789

SHA1
456adaa0b752702bf1dd1d53f11728dcb0fff1d3

SHA256
1ea28301e8ca3c698ca7217cbf6df6a31c3c4fd590d5c8241d68cda2492cc628

SHA512
b33b605988b4e2b554cd5f44b78a26afe577d617563007abc1d5ce196047065294e21106e8619f754faba9281cba6836bf16da1e1b4dfcf86a09bc9b79e8bd00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5G1V2IVT8ZLAJV52SVDN.temp

Filesize
7KB

MD5
c200bde4beb67169cafe225cf31a6aa6

SHA1
14c4478eb99f8f7a6e1aac17931f34bc46134b04

SHA256
9caaeeaa652ffc9870cf6cc3f1742e248790c3285a117ff045f2d6ee7ca275c6

SHA512
2ed802851edb9317b9a54a5ebf2d901f99a24b34b7a44b07459df337cd209c4149e529ef20783eba5204303433125a58c371fdc3839dcfa0a4e788c298b79317

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
28.2MB

MD5
76a02cb9f7913fd53e7db075b271bdb6

SHA1
dd262055ddfdb2ce258dd18d10570a8fa1ec8f35

SHA256
538ac660cead521da850bd38b5289c2e848c7503b16ed84b6cfea53867a683f3

SHA512
812b7cee4ab3bdfcb6e6091174fdfff414cf5816b3a6e62110de92b8c540a12ad0b351d84512f1af617a35342898ceb38c4b080f75bedb4e1078172de6488ed4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
memory/108-178-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1300-256-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-267-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-286-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-275-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1424-260-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1424-258-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1552-274-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1572-88-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/1572-79-0x0000000000F30000-0x0000000000FB8000-memory.dmp

Filesize
544KB

Download
memory/1572-82-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1572-80-0x0000000000A80000-0x0000000000ADC000-memory.dmp

Filesize
368KB

Download
memory/1584-228-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-232-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-241-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-237-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-230-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-235-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1584-231-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-226-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-233-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1584-234-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1616-110-0x00000000007A0000-0x00000000007FA000-memory.dmp

Filesize
360KB

Download
memory/1616-92-0x00000000003A0000-0x0000000000426000-memory.dmp

Filesize
536KB

Download
memory/1616-91-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-115-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/1704-206-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-213-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-202-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-204-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-207-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1704-209-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-211-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-214-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-215-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-219-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1704-220-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1760-101-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-108-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-104-0x0000000002E70000-0x0000000002EB0000-memory.dmp

Filesize
256KB

Download
memory/1760-109-0x0000000002E70000-0x0000000002EB0000-memory.dmp

Filesize
256KB

Download
memory/1760-112-0x0000000002E70000-0x0000000002EB0000-memory.dmp

Filesize
256KB

Download
memory/1896-132-0x0000000000D20000-0x0000000000D60000-memory.dmp

Filesize
256KB

Download
memory/1896-123-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-124-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-134-0x0000000000880000-0x00000000008C0000-memory.dmp

Filesize
256KB

Download
memory/1936-136-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-135-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/1936-137-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/1936-138-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/1936-139-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-0-0x0000000000300000-0x0000000000506000-memory.dmp

Filesize
2.0MB

Download
memory/1956-11-0x0000000004430000-0x0000000004470000-memory.dmp

Filesize
256KB

Download
memory/1956-24-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-10-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-4-0x00000000020D0000-0x000000000211C000-memory.dmp

Filesize
304KB

Download
memory/1956-3-0x0000000005370000-0x000000000555C000-memory.dmp

Filesize
1.9MB

Download
memory/1956-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1956-2-0x0000000004430000-0x0000000004470000-memory.dmp

Filesize
256KB

Download
memory/2204-122-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-131-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-133-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2236-125-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-48-0x0000000000BD0000-0x0000000000C58000-memory.dmp

Filesize
544KB

Download
memory/2316-287-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2316-51-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2316-293-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2316-50-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-46-0x0000000000CA0000-0x0000000000D58000-memory.dmp

Filesize
736KB

Download
memory/2368-118-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-103-0x0000000000480000-0x00000000004D0000-memory.dmp

Filesize
320KB

Download
memory/2368-120-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2368-89-0x0000000001350000-0x00000000013CC000-memory.dmp

Filesize
496KB

Download
memory/2560-15-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-19-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-17-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-111-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-28-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2560-114-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-22-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-152-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-27-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-25-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2560-26-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2732-90-0x0000000000310000-0x0000000000396000-memory.dmp

Filesize
536KB

Download
memory/2732-87-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-113-0x0000000001E90000-0x0000000001EEC000-memory.dmp

Filesize
368KB

Download
memory/2732-121-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/2868-116-0x0000000004DC0000-0x0000000004E62000-memory.dmp

Filesize
648KB

Download
memory/2868-86-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download
memory/2868-49-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-117-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2868-47-0x00000000001C0000-0x00000000002BA000-memory.dmp

Filesize
1000KB

Download
memory/2972-8-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-12-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-13-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-7-0x000000006FAA0000-0x000000007004B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-9-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/3004-130-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/3052-172-0x0000000002A40000-0x0000000002A80000-memory.dmp

Filesize
256KB

Download
memory/3052-171-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-177-0x0000000002A40000-0x0000000002A80000-memory.dmp

Filesize
256KB

Download
memory/3052-165-0x0000000002A40000-0x0000000002A80000-memory.dmp

Filesize
256KB

Download
memory/3052-150-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download