asyncrat | 45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf

Analysis

max time kernel
54s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b018d9d77edf9c08d39bc6080cf50d2.exe
Size

3.8MB
MD5

1b018d9d77edf9c08d39bc6080cf50d2
SHA1

b24d472f1cb43e0c114de888e9726a6cb8fafca3
SHA256

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
SHA512

854a81e05309fe51efd17a49f00f2cd95a01a815923b27b055296b1e5ca8c5c718b2bbaabf0bdafce3019201c26c63ecc199a9210cacbf12d5d110b888f395f4
SSDEEP

98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+apre2-new new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

Xens_nd8918d

Attributes

delay
5000
install_path
appdata
port
4488
startup_name
rar

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex7

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+Apre2-new

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3MW33TC

Attributes

gencode
XE9EWd209YcQ
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000900000001234c-52.dat	family_asyncrat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/3384-338-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/3384-348-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/3384-347-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/3384-344-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/3384-354-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/3384-357-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	smsDA7.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe

Executes dropped EXE 28 IoCs

pid	Process
2660	smsA2E.tmp
2612	drvmonit.exe
2700	logons.exe
2588	rarwin.exe
2772	svlhost.exe
2464	smsAF9.tmp
2712	usbserv.exe
2972	winlists.exe
2860	wintskl.exe
2744	smsD78.tmp
1712	smsDA7.tmp
2648	smsE43.tmp
644	drvmonit.exe
2072	usbserv.exe
1740	ADOBESERV.EXE
2988	AUDIOPT.EXE
2820	DRVVIDEO.EXE
2912	WINCPUL.EXE
2496	WINLOGONL.EXE
1200	WINPLAY.EXE
1172	ADOBESERV.EXE
912	AUDIOPT.EXE
3036	WINCPUL.EXE
1092	WINPLAY.EXE
1244	DRVVIDEO.EXE
2156	WINLOGONL.EXE
3360	AUDIOPT.EXE
3384	DRVVIDEO.EXE

Loads dropped DLL 31 IoCs

pid	Process
2660	smsA2E.tmp
2660	smsA2E.tmp
2660	smsA2E.tmp
2596	Process not Found
2660	smsA2E.tmp
2660	smsA2E.tmp
2660	smsA2E.tmp
2660	smsA2E.tmp
1676	Process not Found
2660	smsA2E.tmp
2660	smsA2E.tmp
2980	Process not Found
2660	smsA2E.tmp
2660	smsA2E.tmp
2152	Process not Found
2612	drvmonit.exe
2712	usbserv.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2988	AUDIOPT.EXE
2820	DRVVIDEO.EXE

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-171-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-173-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-176-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-179-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-180-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-182-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-281-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-282-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2476-311-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/3360-321-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3360-324-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3368-325-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3368-328-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3360-333-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3360-336-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3368-345-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3360-351-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3360-340-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3360-339-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3360-353-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3368-337-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	rarwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2476	2588	rarwin.exe	52
PID 2988 set thread context of 3360	2988	AUDIOPT.EXE	89
PID 1740 set thread context of 3368	1740	ADOBESERV.EXE	90
PID 2820 set thread context of 3384	2820	DRVVIDEO.EXE	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3552	3368	WerFault.exe	90
2368	3964	WerFault.exe	102
2132	3976	WerFault.exe	103
3436	4040	WerFault.exe	105
3428	4000	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2040	schtasks.exe
3612	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3856	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	powershell.exe
2464	smsAF9.tmp
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2588	rarwin.exe
2588	rarwin.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
2016	powershell.exe
2132	powershell.exe
1140	powershell.exe
644	drvmonit.exe
644	drvmonit.exe
644	drvmonit.exe
2180	powershell.exe
1532	powershell.exe
788	powershell.exe
2856	powershell.exe
604	powershell.exe
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
2648	smsE43.tmp
1356	powershell.exe
1460	powershell.exe
2900	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2744	smsD78.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2744	smsD78.tmp
Token: SeDebugPrivilege	2744	smsD78.tmp
Token: SeTcbPrivilege	2744	smsD78.tmp
Token: SeIncreaseQuotaPrivilege	1712	smsDA7.tmp
Token: SeSecurityPrivilege	1712	smsDA7.tmp
Token: SeTakeOwnershipPrivilege	1712	smsDA7.tmp
Token: SeLoadDriverPrivilege	1712	smsDA7.tmp
Token: SeSystemProfilePrivilege	1712	smsDA7.tmp
Token: SeSystemtimePrivilege	1712	smsDA7.tmp
Token: SeProfSingleProcessPrivilege	1712	smsDA7.tmp
Token: SeIncBasePriorityPrivilege	1712	smsDA7.tmp
Token: SeCreatePagefilePrivilege	1712	smsDA7.tmp
Token: SeBackupPrivilege	1712	smsDA7.tmp
Token: SeRestorePrivilege	1712	smsDA7.tmp
Token: SeShutdownPrivilege	1712	smsDA7.tmp
Token: SeDebugPrivilege	1712	smsDA7.tmp
Token: SeSystemEnvironmentPrivilege	1712	smsDA7.tmp
Token: SeChangeNotifyPrivilege	1712	smsDA7.tmp
Token: SeRemoteShutdownPrivilege	1712	smsDA7.tmp
Token: SeUndockPrivilege	1712	smsDA7.tmp
Token: SeManageVolumePrivilege	1712	smsDA7.tmp
Token: SeImpersonatePrivilege	1712	smsDA7.tmp
Token: SeCreateGlobalPrivilege	1712	smsDA7.tmp
Token: 33	1712	smsDA7.tmp
Token: 34	1712	smsDA7.tmp
Token: 35	1712	smsDA7.tmp
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2464	smsAF9.tmp
Token: SeDebugPrivilege	2648	smsE43.tmp
Token: SeDebugPrivilege	644	drvmonit.exe
Token: SeDebugPrivilege	2588	rarwin.exe
Token: SeIncreaseQuotaPrivilege	2476	InstallUtil.exe
Token: SeSecurityPrivilege	2476	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2476	InstallUtil.exe
Token: SeLoadDriverPrivilege	2476	InstallUtil.exe
Token: SeSystemProfilePrivilege	2476	InstallUtil.exe
Token: SeSystemtimePrivilege	2476	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2476	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2476	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2476	InstallUtil.exe
Token: SeBackupPrivilege	2476	InstallUtil.exe
Token: SeRestorePrivilege	2476	InstallUtil.exe
Token: SeShutdownPrivilege	2476	InstallUtil.exe
Token: SeDebugPrivilege	2476	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2476	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2476	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2476	InstallUtil.exe
Token: SeUndockPrivilege	2476	InstallUtil.exe
Token: SeManageVolumePrivilege	2476	InstallUtil.exe
Token: SeImpersonatePrivilege	2476	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2476	InstallUtil.exe
Token: 33	2476	InstallUtil.exe
Token: 34	2476	InstallUtil.exe
Token: 35	2476	InstallUtil.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1712	smsDA7.tmp
2744	smsD78.tmp
2476	InstallUtil.exe
3360	AUDIOPT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2660	2400	1b018d9d77edf9c08d39bc6080cf50d2.exe	29
PID 2400 wrote to memory of 2660	2400	1b018d9d77edf9c08d39bc6080cf50d2.exe	29
PID 2400 wrote to memory of 2660	2400	1b018d9d77edf9c08d39bc6080cf50d2.exe	29
PID 2400 wrote to memory of 2660	2400	1b018d9d77edf9c08d39bc6080cf50d2.exe	29
PID 2660 wrote to memory of 2612	2660	smsA2E.tmp	30
PID 2660 wrote to memory of 2612	2660	smsA2E.tmp	30
PID 2660 wrote to memory of 2612	2660	smsA2E.tmp	30
PID 2660 wrote to memory of 2612	2660	smsA2E.tmp	30
PID 2660 wrote to memory of 2700	2660	smsA2E.tmp	31
PID 2660 wrote to memory of 2700	2660	smsA2E.tmp	31
PID 2660 wrote to memory of 2700	2660	smsA2E.tmp	31
PID 2660 wrote to memory of 2700	2660	smsA2E.tmp	31
PID 2660 wrote to memory of 2588	2660	smsA2E.tmp	33
PID 2660 wrote to memory of 2588	2660	smsA2E.tmp	33
PID 2660 wrote to memory of 2588	2660	smsA2E.tmp	33
PID 2660 wrote to memory of 2588	2660	smsA2E.tmp	33
PID 2660 wrote to memory of 2772	2660	smsA2E.tmp	34
PID 2660 wrote to memory of 2772	2660	smsA2E.tmp	34
PID 2660 wrote to memory of 2772	2660	smsA2E.tmp	34
PID 2660 wrote to memory of 2772	2660	smsA2E.tmp	34
PID 2700 wrote to memory of 2464	2700	logons.exe	37
PID 2700 wrote to memory of 2464	2700	logons.exe	37
PID 2700 wrote to memory of 2464	2700	logons.exe	37
PID 2660 wrote to memory of 2712	2660	smsA2E.tmp	36
PID 2660 wrote to memory of 2712	2660	smsA2E.tmp	36
PID 2660 wrote to memory of 2712	2660	smsA2E.tmp	36
PID 2660 wrote to memory of 2712	2660	smsA2E.tmp	36
PID 2660 wrote to memory of 2972	2660	smsA2E.tmp	38
PID 2660 wrote to memory of 2972	2660	smsA2E.tmp	38
PID 2660 wrote to memory of 2972	2660	smsA2E.tmp	38
PID 2660 wrote to memory of 2972	2660	smsA2E.tmp	38
PID 2660 wrote to memory of 2860	2660	smsA2E.tmp	40
PID 2660 wrote to memory of 2860	2660	smsA2E.tmp	40
PID 2660 wrote to memory of 2860	2660	smsA2E.tmp	40
PID 2660 wrote to memory of 2860	2660	smsA2E.tmp	40
PID 2772 wrote to memory of 2744	2772	svlhost.exe	42
PID 2772 wrote to memory of 2744	2772	svlhost.exe	42
PID 2772 wrote to memory of 2744	2772	svlhost.exe	42
PID 2772 wrote to memory of 2744	2772	svlhost.exe	42
PID 2972 wrote to memory of 1712	2972	winlists.exe	43
PID 2972 wrote to memory of 1712	2972	winlists.exe	43
PID 2972 wrote to memory of 1712	2972	winlists.exe	43
PID 2972 wrote to memory of 1712	2972	winlists.exe	43
PID 2860 wrote to memory of 2648	2860	wintskl.exe	44
PID 2860 wrote to memory of 2648	2860	wintskl.exe	44
PID 2860 wrote to memory of 2648	2860	wintskl.exe	44
PID 2860 wrote to memory of 2648	2860	wintskl.exe	44
PID 2612 wrote to memory of 644	2612	drvmonit.exe	45
PID 2612 wrote to memory of 644	2612	drvmonit.exe	45
PID 2612 wrote to memory of 644	2612	drvmonit.exe	45
PID 2612 wrote to memory of 644	2612	drvmonit.exe	45
PID 2712 wrote to memory of 2072	2712	usbserv.exe	47
PID 2712 wrote to memory of 2072	2712	usbserv.exe	47
PID 2712 wrote to memory of 2072	2712	usbserv.exe	47
PID 2712 wrote to memory of 2072	2712	usbserv.exe	47
PID 2588 wrote to memory of 1508	2588	rarwin.exe	48
PID 2588 wrote to memory of 1508	2588	rarwin.exe	48
PID 2588 wrote to memory of 1508	2588	rarwin.exe	48
PID 2588 wrote to memory of 1508	2588	rarwin.exe	48
PID 644 wrote to memory of 2040	644	drvmonit.exe	50
PID 644 wrote to memory of 2040	644	drvmonit.exe	50
PID 644 wrote to memory of 2040	644	drvmonit.exe	50
PID 644 wrote to memory of 2040	644	drvmonit.exe	50
PID 2588 wrote to memory of 2476	2588	rarwin.exe	52

C:\Users\Admin\AppData\Local\Temp\1b018d9d77edf9c08d39bc6080cf50d2.exe
"C:\Users\Admin\AppData\Local\Temp\1b018d9d77edf9c08d39bc6080cf50d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\smsA2E.tmp
  "C:\Users\Admin\AppData\Local\Temp\smsA2E.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\drvmonit.exe
    "C:\Users\Admin\AppData\Local\Temp\drvmonit.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "rar" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23B6.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\logons.exe
    "C:\Users\Admin\AppData\Local\Temp\logons.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\smsAF9.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsAF9.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\rarwin.exe
    "C:\Users\Admin\AppData\Local\Temp\rarwin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1740
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 220
        7⤵
        Program crash
        
        PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2988
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2820
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Executes dropped EXE
        
        PID:2912
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        
        PID:3904
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Executes dropped EXE
        
        PID:2496
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 200
        7⤵
        Program crash
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Executes dropped EXE
        
        PID:1200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4FB6.tmp.bat""
        7⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        
        PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Executes dropped EXE
        
        PID:1172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 220
        7⤵
        Program crash
        
        PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Executes dropped EXE
        
        PID:912
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        
        PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Executes dropped EXE
        
        PID:1244
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 200
        7⤵
        Program crash
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Executes dropped EXE
        
        PID:3036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        
        PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Executes dropped EXE
        
        PID:2156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 200
        7⤵
        Program crash
        
        PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Executes dropped EXE
        
        PID:1092
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        
        PID:3920
- - C:\Users\Admin\AppData\Local\Temp\svlhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svlhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\smsD78.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsD78.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2744
- - C:\Users\Admin\AppData\Local\Temp\usbserv.exe
    "C:\Users\Admin\AppData\Local\Temp\usbserv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe"
      4⤵
      Executes dropped EXE
      PID:2072
- - C:\Users\Admin\AppData\Local\Temp\winlists.exe
    "C:\Users\Admin\AppData\Local\Temp\winlists.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\smsDA7.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsDA7.tmp"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\wintskl.exe
    "C:\Users\Admin\AppData\Local\Temp\wintskl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\smsE43.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsE43.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rarwin.exe

Filesize
2.1MB

MD5
fe9307672b900d6638ef9653a80eeabd

SHA1
865071fedd32abd1fc159584229095cc98e25464

SHA256
8620630492a1e6a6ebe6172249ba1425895af430bd77c8f1e2a2bfe407a231ee

SHA512
3d67204db32d496b44f6aaad59ce2fd40c51a003ab82d36f1cb47d6caa5d458ee75192ded9fde8683f2c850e4eaad9b8a984387d2951d2bf1bb9bbc5b40eaabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsA2E.tmp

Filesize
3.6MB

MD5
c0811a2b760f26064e108332abb981b0

SHA1
9cddfea05f18c464822c822199a890bc24e4c592

SHA256
8cd70df79057b6cf818686eccc6aeef128e75d49288dc737c434987a759067b0

SHA512
cdfafb3c0ff42d8998b57913eea7594fdfb61de1972c6da10ce9f220618652682672ef1d8f3503ac8ddf54d2e411d1e69622fa0d3094d8d4d56740d9fbbb9ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsAF9.tmp

Filesize
46KB

MD5
a091efe9f16f062fc0985704029b18ef

SHA1
41a58ee152864c3c2eb450e93455a095db24e3fe

SHA256
5a1e12022bdc3f4a423852e24065d9aaf3eb2ee65ca584be71a8c228dd23a7af

SHA512
a0518b633d43d75aa8a1483d4eb15e43fdde301757407de7357e3dffe260d44bc31dce3392b98c6fa989c9c969601575264f15ee178728cac2b90c0b190ea718

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsD78.tmp

Filesize
733KB

MD5
04e6960a21235431867b45d9b98e637a

SHA1
62e8b447a96a21a3c359e4beee0431542bbfd5d6

SHA256
516d2df50001db9fda81065f989f574bfdafa3f25fda48cb9afdba756301152a

SHA512
95c21edac1233ec31170efcf47fc10f3b652c29eadac2cd795a214373e66b22c64d8caa7f18d19b93bfb587c9d68be29ebdd55105522528cdedf094a034068fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsDA7.tmp

Filesize
658KB

MD5
114ceda9d99182aff52b3a6faa1bd2a5

SHA1
f5cc13c4a61546fa8e5a43c25483edf773127d79

SHA256
be1d435fda61f1389c6218d5e107e87a2b61f6dc818466bdc6f2b5b631834d3f

SHA512
e8a788398e48c7640c8326dec20c9c459d506be530c3f0845172f6ad371ca2d2276c003a402874daa5cf453a11840c570f95f03229c0f0801416a6616be1f246

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsE43.tmp

Filesize
45KB

MD5
8ccf0cd31941c113e7ed1047cf6cd7d2

SHA1
e460bf7e54ffb34dc66c0bf49ef08fe9e886517d

SHA256
694f320302a9bf8a79ca16e91d8ab7dabef9ff05d2b450bd5ffad4fb6b62eff5

SHA512
cb2beb5af8ff4eaa6cf85502afa195f8a37adae18b4dc1b6d1855ffac656fefdad24035ba77a7e56278bd12b9b1b27682e7bacdf5779e7c0674edb7c732c7fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23B6.tmp

Filesize
1KB

MD5
a65790d60afe7f29b546aeb30d6418ea

SHA1
16c17e7ff6ceb356edd377ee81556e76e1d17c76

SHA256
d75cb1474855704eac6fd2718796f4bb149b99a338351f5f187329cf0c00785a

SHA512
b8fd846a46cf4525ac2fd0fa5f04d504bc559ee7635edd695bcbfae9ec9601f955fbef9a44d429c70c0a5823597587a08bd3b063c284f37f85f4445cadcffb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FB6.tmp.bat

Filesize
151B

MD5
52c0c5dad17abf871f6f8219ba1cb367

SHA1
8274b3be131e6f87d20b662b1600031c1c640f08

SHA256
c7eb841a4dddc786e6456d4872deae1170bd2d0aa56d3c649ca56e18c2c8aaaf

SHA512
6cefebbd77e5fb464cfa0390dba2bd74406fb4a549646d93d2c5472b776403c7f84b40cff96caed2e04e9a91f0026f16c8107d7e2cdab925ed8cd47ff95371eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\usbserv.exe

Filesize
202KB

MD5
505c9499e2e9d1d898a66084b24b7fa0

SHA1
eb9cc5e05250e4b632139daadcbd337bcebb6ca1

SHA256
0f0b7aac076e447f866220e179d30b8f2623e71f2fae519a02249a83ae9808f6

SHA512
5a0047ca876827211ed5e7e6645135ee5c561ace1d2e2f4f6284daa13530ee652ad9723a3682e9e0b307b5bd814e79f4e9e72099296437b882b3eaf356b7dc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlists.exe

Filesize
671KB

MD5
f159464e574a24e7b075bc82241bb094

SHA1
fba9d7b3ddc51f2b52a62d701a512f57ab3445cc

SHA256
d6b681cd4e8214b2263f4ee48a4c8f93bc7aeedbfd256a6647471b252093b51b

SHA512
6e30961b7d46e09756932b19ad5eb1da3e7cd12cba840c76573920fc85985556f2459a76a214bf5dc129c8961b749545316171211e28f08e9b6f73d0792ea703

Download Submit
C:\Users\Admin\AppData\Local\Temp\wintskl.exe

Filesize
58KB

MD5
99c597e6e14f7ea4725d7157329657e8

SHA1
66bbcf2696ee8d4c96dde1b3d9be8ca212102b08

SHA256
e9292b321ecf224f4ff9a61481957ec9c6aba73bf930fce593cab13e883b6bfc

SHA512
b31c8652252772438445c9134d5a175c08cbd67d3f6575ee7e66e27b59b83e7213852b6736fdccbd873fa77eb66918b15b2ff690e3bee8ccf45dca207a6ec52e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M3YCB4OUXCAAYX02QH4Q.temp

Filesize
7KB

MD5
9351fb611e7cc091987439a90687985a

SHA1
ee1d4110a4aaf17c265c288eb5f268c3c59fd7af

SHA256
adcd8d56a442148ce08e14ffcc91346f12fd0ba465240c882f9e73968fcaaab4

SHA512
c2af8c57caa4d6697c1d0960dc0e5999758253e9142e4fd59239ab3749e95602edfb4b82e9737f4117bfd1086936157106bb82008677e48536b333edcf957082

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe

Filesize
43.2MB

MD5
3d2c81bd7ea62469f93d77ea54e4499d

SHA1
076c5d940495f103f84adada99673e89507cae02

SHA256
7f6f27108c386477a6983c537f27a15b770769743d312be6353a30aecfa8f7e8

SHA512
23ebbd5788af6d2616447d017af68e160ee391485f7965d9e023657ac89e577f758c67a35dde3a5f583a9484ecd61cc9632b46d766bb8b222dd337a60afed648

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
\Users\Admin\AppData\Local\Temp\drvmonit.exe

Filesize
150KB

MD5
c415a21e89694c691c2808ef19e8e7d9

SHA1
644ba9c39d3579a0419cd1ca52ed361eab8c50b6

SHA256
771cf79fda975168bdb756280aafc59d96f767b03928e48d8b2935548702237a

SHA512
823de8d7a58c88df0a9cf093223a1eab106d68e5939bd9a1d7954ac69f9d5f6237b01d4943ad996dcbed312baf331d7fd99c53d096be40ceddcb99514e412343

Download Submit
\Users\Admin\AppData\Local\Temp\logons.exe

Filesize
59KB

MD5
466a4fab74714d28172502dc09ada184

SHA1
2588e5a49b4c58f61627cfecab983705ff54dda1

SHA256
badd6f0f78c14773e916ae11ace9f83b6db9cb52f242a16a86a1ac7f418dfe15

SHA512
6b897c5ba51fe79a1320ddd2f3fa6fe0af482f711ea37d3b6412e026514cca5d2450068d1e485a33236f4c9bbea29a182e9c652517dd01ee34818afb193f6354

Download Submit
\Users\Admin\AppData\Local\Temp\svlhost.exe

Filesize
746KB

MD5
a560aec0d762f7d49aa35cab16241688

SHA1
80cdb8bd681d072c696a75607bad696f92c67329

SHA256
73dc84de5b8abe542496d8621faed0c2957a7971e55f56f8d3923f5e3aa82b59

SHA512
046f9b799a5cd53b8bc71d56bf59bb479972d098d85ed385dc1ef218d17f25078eaca7de516357fa620d6fe1ce2c594b3bdd508687fc9e415eb64d13a2032721

Download Submit
memory/644-160-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/644-109-0x0000000000F40000-0x0000000000F6C000-memory.dmp

Filesize
176KB

Download
memory/644-125-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/644-162-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1200-253-0x0000000000DD0000-0x0000000000E4C000-memory.dmp

Filesize
496KB

Download
memory/1508-131-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/1508-134-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/1508-163-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-164-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/1508-165-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/1508-167-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/1508-132-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-168-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-133-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/1508-130-0x000000006EEF0000-0x000000006F49B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-110-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1712-166-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1712-161-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1740-209-0x0000000002230000-0x0000000002270000-memory.dmp

Filesize
256KB

Download
memory/1740-206-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1740-210-0x0000000004D40000-0x0000000004DE2000-memory.dmp

Filesize
648KB

Download
memory/1740-205-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-202-0x0000000000320000-0x000000000041A000-memory.dmp

Filesize
1000KB

Download
memory/2072-123-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-121-0x0000000000200000-0x0000000000238000-memory.dmp

Filesize
224KB

Download
memory/2464-124-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-136-0x00000000009E0000-0x0000000000A60000-memory.dmp

Filesize
512KB

Download
memory/2464-72-0x00000000013A0000-0x00000000013B2000-memory.dmp

Filesize
72KB

Download
memory/2464-159-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-204-0x00000000009E0000-0x0000000000A60000-memory.dmp

Filesize
512KB

Download
memory/2476-173-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-281-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-170-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-171-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-282-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-174-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-176-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-311-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-179-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-180-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-182-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2476-184-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2496-240-0x0000000000920000-0x00000000009A6000-memory.dmp

Filesize
536KB

Download
memory/2588-98-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2588-76-0x0000000001220000-0x0000000001438000-memory.dmp

Filesize
2.1MB

Download
memory/2588-106-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-127-0x0000000000A10000-0x0000000000A5C000-memory.dmp

Filesize
304KB

Download
memory/2588-178-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-156-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-126-0x00000000054F0000-0x00000000056DC000-memory.dmp

Filesize
1.9MB

Download
memory/2588-113-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2588-158-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2612-107-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-74-0x0000000000110000-0x000000000013C000-memory.dmp

Filesize
176KB

Download
memory/2612-101-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-111-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-135-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/2648-95-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2648-157-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-183-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/2712-112-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/2712-99-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2712-75-0x0000000000800000-0x0000000000838000-memory.dmp

Filesize
224KB

Download
memory/2712-97-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-122-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-227-0x00000000012A0000-0x0000000001326000-memory.dmp

Filesize
536KB

Download
memory/2820-242-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/2820-219-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2820-231-0x0000000001020000-0x000000000107C000-memory.dmp

Filesize
368KB

Download
memory/2912-230-0x00000000007E0000-0x000000000083C000-memory.dmp

Filesize
368KB

Download
memory/2912-232-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2912-229-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-228-0x0000000000F10000-0x0000000000F98000-memory.dmp

Filesize
544KB

Download
memory/2988-208-0x0000000000840000-0x00000000008F8000-memory.dmp

Filesize
736KB

Download
memory/2988-211-0x0000000004610000-0x0000000004698000-memory.dmp

Filesize
544KB

Download
memory/2988-207-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/3360-318-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-353-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-324-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-351-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-321-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-327-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3360-340-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-339-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-333-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3360-336-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3368-319-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3368-345-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3368-337-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3368-328-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3368-325-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3384-344-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-357-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-347-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-348-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-354-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-338-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-332-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-349-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3384-326-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-320-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3724-359-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3724-358-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3920-375-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3920-373-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download