asyncrat | 45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
Size

3.8MB
MD5

1b018d9d77edf9c08d39bc6080cf50d2
SHA1

b24d472f1cb43e0c114de888e9726a6cb8fafca3
SHA256

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
SHA512

854a81e05309fe51efd17a49f00f2cd95a01a815923b27b055296b1e5ca8c5c718b2bbaabf0bdafce3019201c26c63ecc199a9210cacbf12d5d110b888f395f4
SSDEEP

98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+apre2-new new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

Xens_nd8918d

Attributes

delay
5000
install_path
appdata
port
4488
startup_name
rar

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc4rc3ex7

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+Apre2-new

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3MW33TC

Attributes

gencode
XE9EWd209YcQ
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023216-60.dat	family_asyncrat

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 6 IoCs

resource	yara_rule
behavioral2/memory/6960-513-0x0000000000400000-0x0000000000554000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/6960-521-0x0000000000400000-0x0000000000554000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/7100-549-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/7064-557-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/7100-562-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/7064-528-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023222-133.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/6740-481-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/6740-483-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/6740-485-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/6740-494-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/7100-549-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/7064-557-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/7100-562-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/7064-528-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/6740-593-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/6740-597-0x0000000000400000-0x00000000004C9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables embedding command execution via IExecuteCommand COM object 6 IoCs

resource	yara_rule
behavioral2/memory/6960-513-0x0000000000400000-0x0000000000554000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/6960-521-0x0000000000400000-0x0000000000554000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/7100-549-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/7064-557-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/7100-562-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
behavioral2/memory/7064-528-0x0000000000400000-0x0000000000559000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Detects file containing reversed ASEP Autorun registry keys 3 IoCs

resource	yara_rule
behavioral2/memory/544-66-0x00000000004D0000-0x00000000004E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral2/files/0x0008000000023216-60.dat	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral2/memory/6972-544-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

UPX dump on OEP (original entry point) 21 IoCs

resource	yara_rule
behavioral2/memory/1340-189-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/1340-193-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/1340-194-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/1340-195-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/1340-298-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/1340-300-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/1340-305-0x0000000000400000-0x0000000000853000-memory.dmp	UPX
behavioral2/memory/6740-477-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/6740-480-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/6740-481-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/6740-483-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/6740-485-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/6740-494-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/7084-530-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/7084-535-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/7084-547-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/7084-542-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/7084-567-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/7084-570-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/6740-593-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX
behavioral2/memory/6740-597-0x0000000000400000-0x00000000004C9000-memory.dmp	UPX

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/6960-513-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6960-521-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/7100-549-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/7064-557-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/7100-562-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/7064-528-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms85F9.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	sms731D.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	drvmonit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	rarwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	usbserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 48 IoCs

pid	Process
3640	sms731D.tmp
5072	drvmonit.exe
3048	logons.exe
4052	rarwin.exe
2244	svlhost.exe
544	sms7A21.tmp
5064	usbserv.exe
1072	winlists.exe
1644	wintskl.exe
5044	drvmonit.exe
3408	sms804C.tmp
4336	usbserv.exe
3116	sms8472.tmp
4888	sms85F9.tmp
4864	ADOBESERV.EXE
2568	AUDIOPT.EXE
2408	DRVVIDEO.EXE
4412	WINCPUL.EXE
3900	WINLOGONL.EXE
1000	WINPLAY.EXE
3016	ADOBESERV.EXE
4068	AUDIOPT.EXE
4460	DRVVIDEO.EXE
4624	WINCPUL.EXE
2672	WINLOGONL.EXE
4144	WINPLAY.EXE
6960	WINLOGONL.EXE
6952	WINCPUL.EXE
6992	WINCPUL.EXE
7020	WINCPUL.EXE
7064	WINCPUL.EXE
7084	AUDIOPT.EXE
6972	WINPLAY.EXE
7100	DRVVIDEO.EXE
5728	WINCPUL.EXE
5992	WINCPUL.EXE
6392	AUDIOPT.EXE
2412	AUDIOPT.EXE
6308	DRVVIDEO.EXE
1396	AUDIOPT.EXE
6400	WINLOGONL.EXE
6496	WINPLAY.EXE
6588	WINPLAY.EXE
3328	WINPLAY.EXE
3284	wintsklt.exe
5288	wintskl.exe
7016	wintsklt.exe
3888	wintskl.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1340-189-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1340-193-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1340-194-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1340-195-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1340-298-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1340-300-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/1340-305-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/6740-477-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6740-480-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6740-481-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6740-483-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6740-485-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6740-494-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/7084-530-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/7084-535-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/7084-547-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/7084-542-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/7084-567-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/7084-570-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6740-593-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6740-597-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	rarwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 1340	4052	rarwin.exe	120
PID 4864 set thread context of 6740	4864	ADOBESERV.EXE	157
PID 3900 set thread context of 6960	3900	WINLOGONL.EXE	159
PID 4412 set thread context of 7064	4412	WINCPUL.EXE	163
PID 2568 set thread context of 7084	2568	AUDIOPT.EXE	164
PID 1000 set thread context of 6972	1000	WINPLAY.EXE	160
PID 2408 set thread context of 7100	2408	DRVVIDEO.EXE	165
PID 4624 set thread context of 5992	4624	WINCPUL.EXE	167
PID 4460 set thread context of 6308	4460	DRVVIDEO.EXE	168
PID 4068 set thread context of 1396	4068	AUDIOPT.EXE	172
PID 2672 set thread context of 6400	2672	WINLOGONL.EXE	169
PID 3016 set thread context of 6552	3016	ADOBESERV.EXE	178
PID 4144 set thread context of 3328	4144	WINPLAY.EXE	180
PID 3284 set thread context of 7016	3284	wintsklt.exe	196
PID 5288 set thread context of 3888	5288	wintskl.exe	197

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1516	schtasks.exe
3220	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2076	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
916	powershell.exe
916	powershell.exe
916	powershell.exe
544	sms7A21.tmp
544	sms7A21.tmp
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp
3408	sms804C.tmp
3408	sms804C.tmp
4052	rarwin.exe
4052	rarwin.exe
5044	drvmonit.exe
5044	drvmonit.exe
5044	drvmonit.exe
3408	sms804C.tmp

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3116	sms8472.tmp
6740	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3116	sms8472.tmp
Token: SeDebugPrivilege	3116	sms8472.tmp
Token: SeTcbPrivilege	3116	sms8472.tmp
Token: SeIncreaseQuotaPrivilege	4888	sms85F9.tmp
Token: SeSecurityPrivilege	4888	sms85F9.tmp
Token: SeTakeOwnershipPrivilege	4888	sms85F9.tmp
Token: SeLoadDriverPrivilege	4888	sms85F9.tmp
Token: SeSystemProfilePrivilege	4888	sms85F9.tmp
Token: SeSystemtimePrivilege	4888	sms85F9.tmp
Token: SeProfSingleProcessPrivilege	4888	sms85F9.tmp
Token: SeIncBasePriorityPrivilege	4888	sms85F9.tmp
Token: SeCreatePagefilePrivilege	4888	sms85F9.tmp
Token: SeBackupPrivilege	4888	sms85F9.tmp
Token: SeRestorePrivilege	4888	sms85F9.tmp
Token: SeShutdownPrivilege	4888	sms85F9.tmp
Token: SeDebugPrivilege	4888	sms85F9.tmp
Token: SeSystemEnvironmentPrivilege	4888	sms85F9.tmp
Token: SeChangeNotifyPrivilege	4888	sms85F9.tmp
Token: SeRemoteShutdownPrivilege	4888	sms85F9.tmp
Token: SeUndockPrivilege	4888	sms85F9.tmp
Token: SeManageVolumePrivilege	4888	sms85F9.tmp
Token: SeImpersonatePrivilege	4888	sms85F9.tmp
Token: SeCreateGlobalPrivilege	4888	sms85F9.tmp
Token: 33	4888	sms85F9.tmp
Token: 34	4888	sms85F9.tmp
Token: 35	4888	sms85F9.tmp
Token: 36	4888	sms85F9.tmp
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	544	sms7A21.tmp
Token: SeDebugPrivilege	3408	sms804C.tmp
Token: SeDebugPrivilege	5044	drvmonit.exe
Token: SeDebugPrivilege	4052	rarwin.exe
Token: SeIncreaseQuotaPrivilege	1340	InstallUtil.exe
Token: SeSecurityPrivilege	1340	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	1340	InstallUtil.exe
Token: SeLoadDriverPrivilege	1340	InstallUtil.exe
Token: SeSystemProfilePrivilege	1340	InstallUtil.exe
Token: SeSystemtimePrivilege	1340	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	1340	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1340	InstallUtil.exe
Token: SeCreatePagefilePrivilege	1340	InstallUtil.exe
Token: SeBackupPrivilege	1340	InstallUtil.exe
Token: SeRestorePrivilege	1340	InstallUtil.exe
Token: SeShutdownPrivilege	1340	InstallUtil.exe
Token: SeDebugPrivilege	1340	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	1340	InstallUtil.exe
Token: SeChangeNotifyPrivilege	1340	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	1340	InstallUtil.exe
Token: SeUndockPrivilege	1340	InstallUtil.exe
Token: SeManageVolumePrivilege	1340	InstallUtil.exe
Token: SeImpersonatePrivilege	1340	InstallUtil.exe
Token: SeCreateGlobalPrivilege	1340	InstallUtil.exe
Token: 33	1340	InstallUtil.exe
Token: 34	1340	InstallUtil.exe
Token: 35	1340	InstallUtil.exe
Token: 36	1340	InstallUtil.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	5276	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3116	sms8472.tmp
4888	sms85F9.tmp
1340	InstallUtil.exe
6740	InstallUtil.exe
7084	AUDIOPT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3640	1516	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	90
PID 1516 wrote to memory of 3640	1516	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	90
PID 1516 wrote to memory of 3640	1516	45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe	90
PID 3640 wrote to memory of 5072	3640	sms731D.tmp	93
PID 3640 wrote to memory of 5072	3640	sms731D.tmp	93
PID 3640 wrote to memory of 5072	3640	sms731D.tmp	93
PID 3640 wrote to memory of 3048	3640	sms731D.tmp	94
PID 3640 wrote to memory of 3048	3640	sms731D.tmp	94
PID 3640 wrote to memory of 4052	3640	sms731D.tmp	96
PID 3640 wrote to memory of 4052	3640	sms731D.tmp	96
PID 3640 wrote to memory of 4052	3640	sms731D.tmp	96
PID 3640 wrote to memory of 2244	3640	sms731D.tmp	97
PID 3640 wrote to memory of 2244	3640	sms731D.tmp	97
PID 3048 wrote to memory of 544	3048	logons.exe	99
PID 3048 wrote to memory of 544	3048	logons.exe	99
PID 3640 wrote to memory of 5064	3640	sms731D.tmp	100
PID 3640 wrote to memory of 5064	3640	sms731D.tmp	100
PID 3640 wrote to memory of 5064	3640	sms731D.tmp	100
PID 3640 wrote to memory of 1072	3640	sms731D.tmp	101
PID 3640 wrote to memory of 1072	3640	sms731D.tmp	101
PID 3640 wrote to memory of 1644	3640	sms731D.tmp	102
PID 3640 wrote to memory of 1644	3640	sms731D.tmp	102
PID 5072 wrote to memory of 5044	5072	drvmonit.exe	105
PID 5072 wrote to memory of 5044	5072	drvmonit.exe	105
PID 5072 wrote to memory of 5044	5072	drvmonit.exe	105
PID 1644 wrote to memory of 3408	1644	wintskl.exe	106
PID 1644 wrote to memory of 3408	1644	wintskl.exe	106
PID 1644 wrote to memory of 3408	1644	wintskl.exe	106
PID 5064 wrote to memory of 4336	5064	usbserv.exe	107
PID 5064 wrote to memory of 4336	5064	usbserv.exe	107
PID 5064 wrote to memory of 4336	5064	usbserv.exe	107
PID 2244 wrote to memory of 3116	2244	svlhost.exe	108
PID 2244 wrote to memory of 3116	2244	svlhost.exe	108
PID 2244 wrote to memory of 3116	2244	svlhost.exe	108
PID 1072 wrote to memory of 4888	1072	winlists.exe	109
PID 1072 wrote to memory of 4888	1072	winlists.exe	109
PID 1072 wrote to memory of 4888	1072	winlists.exe	109
PID 4052 wrote to memory of 916	4052	rarwin.exe	110
PID 4052 wrote to memory of 916	4052	rarwin.exe	110
PID 4052 wrote to memory of 916	4052	rarwin.exe	110
PID 5044 wrote to memory of 1516	5044	drvmonit.exe	115
PID 5044 wrote to memory of 1516	5044	drvmonit.exe	115
PID 5044 wrote to memory of 1516	5044	drvmonit.exe	115
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 4052 wrote to memory of 1340	4052	rarwin.exe	120
PID 1340 wrote to memory of 4864	1340	InstallUtil.exe	121
PID 1340 wrote to memory of 4864	1340	InstallUtil.exe	121
PID 1340 wrote to memory of 4864	1340	InstallUtil.exe	121
PID 1340 wrote to memory of 2568	1340	InstallUtil.exe	122
PID 1340 wrote to memory of 2568	1340	InstallUtil.exe	122
PID 1340 wrote to memory of 2568	1340	InstallUtil.exe	122
PID 1340 wrote to memory of 2408	1340	InstallUtil.exe	123
PID 1340 wrote to memory of 2408	1340	InstallUtil.exe	123
PID 1340 wrote to memory of 2408	1340	InstallUtil.exe	123
PID 1340 wrote to memory of 4412	1340	InstallUtil.exe	124
PID 1340 wrote to memory of 4412	1340	InstallUtil.exe	124
PID 1340 wrote to memory of 4412	1340	InstallUtil.exe	124
PID 1340 wrote to memory of 3900	1340	InstallUtil.exe	125
PID 1340 wrote to memory of 3900	1340	InstallUtil.exe	125

C:\Users\Admin\AppData\Local\Temp\45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
"C:\Users\Admin\AppData\Local\Temp\45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\sms731D.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms731D.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\drvmonit.exe
    "C:\Users\Admin\AppData\Local\Temp\drvmonit.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\drvmonit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "rar" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1516
- - C:\Users\Admin\AppData\Local\Temp\logons.exe
    "C:\Users\Admin\AppData\Local\Temp\logons.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\sms7A21.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms7A21.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544
- - C:\Users\Admin\AppData\Local\Temp\rarwin.exe
    "C:\Users\Admin\AppData\Local\Temp\rarwin.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4864
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6740
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2568
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7084
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2408
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:7100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4412
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:6952
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:7020
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:7064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:6432
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1000
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC61A.tmp.bat""
        7⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3016
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:6452
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:5060
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:6552
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4068
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Executes dropped EXE
        
        PID:6392
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Executes dropped EXE
        
        PID:2412
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4460
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5540
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:6308
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4624
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5304
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        
        PID:5992
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:6748
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:7016
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2672
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:6400
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4144
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:6588
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:3328
- - C:\Users\Admin\AppData\Local\Temp\svlhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svlhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\sms8472.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms8472.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3116
- - C:\Users\Admin\AppData\Local\Temp\usbserv.exe
    "C:\Users\Admin\AppData\Local\Temp\usbserv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\usbserv.exe"
      4⤵
      Executes dropped EXE
      PID:4336
- - C:\Users\Admin\AppData\Local\Temp\winlists.exe
    "C:\Users\Admin\AppData\Local\Temp\winlists.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\sms85F9.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms85F9.tmp"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\wintskl.exe
    "C:\Users\Admin\AppData\Local\Temp\wintskl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\sms804C.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms804C.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AUDIOPT.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\usbserv.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c09c2a795c2582cf0627fe009f84d91c

SHA1
5fa5f1638b5b8c9e479acf386cd061af52733b42

SHA256
4cb3249fd8a79202eb8241a1bfe16283ac4b1031ecac928fea2d879e2aaaccd8

SHA512
ceb249a9d980861c1cf05ef9f2ea072ea4d7f5bb476df3334e0ab9ecac955bdfc547c8e3449d8e6e4804e1f2474720b1d5d3f613590943012113c8544f669d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
ecbd7e92040fcd209ee72e391f984479

SHA1
aced77ea2c87b6e85a1465dd4d480a032fe4736c

SHA256
eff5b069bfaee31cd2e0732613cbd6ba453bca9b41fa1be8999c3100135c7e03

SHA512
ce9e5ef518441597d8ed446b3b7f0dcfa561631ee50557b7868e2d0104d0f5afc950a5238892d6d5a09c77c658af00164689b121f8b31a37dd978a66d8052892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
649ce80de0510c8fe9495b65f5b0a4c2

SHA1
b43c3fff7fdb327a8808575667e4cdb9d52ad84c

SHA256
b26f1f3037f92aad74c646b13bf4bce7423306c44d977009ef47fe28d9463f9d

SHA512
0dca012a5da15a4913f68a505910be63786c182e62e4ce78a355e6bdb4f6501a2d90590f1129ee9d1df086569cfe1e9dccaa0fd758f8e80c2076497bc9363b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2973271bfee120939d16c962022d5b3e

SHA1
33668b2992cff85b14e28c3291c575a390ac695a

SHA256
1ac602754020fb52d3c6fcf0fa9f9dd223b9f9ddf244f4b922321ea0fac4f514

SHA512
875ed5ee15d3f815541cfaa5d26fe2aaf19f06cd00327903d23e2c641206c3c4c53dbe1638e63158d31dd3df0fa13c0f531d6ab9eb1bba53bc4adcb9051cf4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
940e665bc6c20a5b0aa380b89340b81b

SHA1
afbaba044cb4c502321e75290ba14885710bcadc

SHA256
810b8f250827860d588552b7ae784174a35edfe51667a7f5a3fa005a7c4d7aff

SHA512
e573361c3602e37ea255834c7b0919febca7fdc6996dc80bf06f3a7df5e951866aec06a07f729ab7abd417951231e2d23f10e0100fbe696b5dfeb94184ced893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
6dbb96ef670b4adede1393c5035a8c27

SHA1
3c94e6de7a98c78a6f5f291a2c79dc82b564c2fd

SHA256
89805f4da6de5c5dd486d94a36a93eac4596d6d4db32097f74251468db247d05

SHA512
07ac2510b903acd99f68bdd4b73062bceb367583ad3acec7e95e39d57b02c2c046c274c562477545429a278cd0893ad3a6d8531a0337d27da42a08b2fafada2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cngje0h0.vkp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvmonit.exe

Filesize
150KB

MD5
c415a21e89694c691c2808ef19e8e7d9

SHA1
644ba9c39d3579a0419cd1ca52ed361eab8c50b6

SHA256
771cf79fda975168bdb756280aafc59d96f767b03928e48d8b2935548702237a

SHA512
823de8d7a58c88df0a9cf093223a1eab106d68e5939bd9a1d7954ac69f9d5f6237b01d4943ad996dcbed312baf331d7fd99c53d096be40ceddcb99514e412343

Download Submit
C:\Users\Admin\AppData\Local\Temp\logons.exe

Filesize
59KB

MD5
466a4fab74714d28172502dc09ada184

SHA1
2588e5a49b4c58f61627cfecab983705ff54dda1

SHA256
badd6f0f78c14773e916ae11ace9f83b6db9cb52f242a16a86a1ac7f418dfe15

SHA512
6b897c5ba51fe79a1320ddd2f3fa6fe0af482f711ea37d3b6412e026514cca5d2450068d1e485a33236f4c9bbea29a182e9c652517dd01ee34818afb193f6354

Download Submit
C:\Users\Admin\AppData\Local\Temp\rarwin.exe

Filesize
2.1MB

MD5
fe9307672b900d6638ef9653a80eeabd

SHA1
865071fedd32abd1fc159584229095cc98e25464

SHA256
8620630492a1e6a6ebe6172249ba1425895af430bd77c8f1e2a2bfe407a231ee

SHA512
3d67204db32d496b44f6aaad59ce2fd40c51a003ab82d36f1cb47d6caa5d458ee75192ded9fde8683f2c850e4eaad9b8a984387d2951d2bf1bb9bbc5b40eaabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms731D.tmp

Filesize
3.6MB

MD5
c0811a2b760f26064e108332abb981b0

SHA1
9cddfea05f18c464822c822199a890bc24e4c592

SHA256
8cd70df79057b6cf818686eccc6aeef128e75d49288dc737c434987a759067b0

SHA512
cdfafb3c0ff42d8998b57913eea7594fdfb61de1972c6da10ce9f220618652682672ef1d8f3503ac8ddf54d2e411d1e69622fa0d3094d8d4d56740d9fbbb9ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms7A21.tmp

Filesize
46KB

MD5
a091efe9f16f062fc0985704029b18ef

SHA1
41a58ee152864c3c2eb450e93455a095db24e3fe

SHA256
5a1e12022bdc3f4a423852e24065d9aaf3eb2ee65ca584be71a8c228dd23a7af

SHA512
a0518b633d43d75aa8a1483d4eb15e43fdde301757407de7357e3dffe260d44bc31dce3392b98c6fa989c9c969601575264f15ee178728cac2b90c0b190ea718

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms804C.tmp

Filesize
45KB

MD5
8ccf0cd31941c113e7ed1047cf6cd7d2

SHA1
e460bf7e54ffb34dc66c0bf49ef08fe9e886517d

SHA256
694f320302a9bf8a79ca16e91d8ab7dabef9ff05d2b450bd5ffad4fb6b62eff5

SHA512
cb2beb5af8ff4eaa6cf85502afa195f8a37adae18b4dc1b6d1855ffac656fefdad24035ba77a7e56278bd12b9b1b27682e7bacdf5779e7c0674edb7c732c7fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms8472.tmp

Filesize
733KB

MD5
04e6960a21235431867b45d9b98e637a

SHA1
62e8b447a96a21a3c359e4beee0431542bbfd5d6

SHA256
516d2df50001db9fda81065f989f574bfdafa3f25fda48cb9afdba756301152a

SHA512
95c21edac1233ec31170efcf47fc10f3b652c29eadac2cd795a214373e66b22c64d8caa7f18d19b93bfb587c9d68be29ebdd55105522528cdedf094a034068fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms85F9.tmp

Filesize
658KB

MD5
114ceda9d99182aff52b3a6faa1bd2a5

SHA1
f5cc13c4a61546fa8e5a43c25483edf773127d79

SHA256
be1d435fda61f1389c6218d5e107e87a2b61f6dc818466bdc6f2b5b631834d3f

SHA512
e8a788398e48c7640c8326dec20c9c459d506be530c3f0845172f6ad371ca2d2276c003a402874daa5cf453a11840c570f95f03229c0f0801416a6616be1f246

Download Submit
C:\Users\Admin\AppData\Local\Temp\svlhost.exe

Filesize
746KB

MD5
a560aec0d762f7d49aa35cab16241688

SHA1
80cdb8bd681d072c696a75607bad696f92c67329

SHA256
73dc84de5b8abe542496d8621faed0c2957a7971e55f56f8d3923f5e3aa82b59

SHA512
046f9b799a5cd53b8bc71d56bf59bb479972d098d85ed385dc1ef218d17f25078eaca7de516357fa620d6fe1ce2c594b3bdd508687fc9e415eb64d13a2032721

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp

Filesize
1KB

MD5
a65790d60afe7f29b546aeb30d6418ea

SHA1
16c17e7ff6ceb356edd377ee81556e76e1d17c76

SHA256
d75cb1474855704eac6fd2718796f4bb149b99a338351f5f187329cf0c00785a

SHA512
b8fd846a46cf4525ac2fd0fa5f04d504bc559ee7635edd695bcbfae9ec9601f955fbef9a44d429c70c0a5823597587a08bd3b063c284f37f85f4445cadcffb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\usbserv.exe

Filesize
202KB

MD5
505c9499e2e9d1d898a66084b24b7fa0

SHA1
eb9cc5e05250e4b632139daadcbd337bcebb6ca1

SHA256
0f0b7aac076e447f866220e179d30b8f2623e71f2fae519a02249a83ae9808f6

SHA512
5a0047ca876827211ed5e7e6645135ee5c561ace1d2e2f4f6284daa13530ee652ad9723a3682e9e0b307b5bd814e79f4e9e72099296437b882b3eaf356b7dc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlists.exe

Filesize
671KB

MD5
f159464e574a24e7b075bc82241bb094

SHA1
fba9d7b3ddc51f2b52a62d701a512f57ab3445cc

SHA256
d6b681cd4e8214b2263f4ee48a4c8f93bc7aeedbfd256a6647471b252093b51b

SHA512
6e30961b7d46e09756932b19ad5eb1da3e7cd12cba840c76573920fc85985556f2459a76a214bf5dc129c8961b749545316171211e28f08e9b6f73d0792ea703

Download Submit
C:\Users\Admin\AppData\Local\Temp\wintskl.exe

Filesize
58KB

MD5
99c597e6e14f7ea4725d7157329657e8

SHA1
66bbcf2696ee8d4c96dde1b3d9be8ca212102b08

SHA256
e9292b321ecf224f4ff9a61481957ec9c6aba73bf930fce593cab13e883b6bfc

SHA512
b31c8652252772438445c9134d5a175c08cbd67d3f6575ee7e66e27b59b83e7213852b6736fdccbd873fa77eb66918b15b2ff690e3bee8ccf45dca207a6ec52e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/544-66-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/544-196-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/544-101-0x00007FFCB9B80000-0x00007FFCBA641000-memory.dmp

Filesize
10.8MB

Download
memory/544-173-0x00007FFCB9B80000-0x00007FFCBA641000-memory.dmp

Filesize
10.8MB

Download
memory/544-165-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/916-163-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/916-164-0x0000000006630000-0x000000000667C000-memory.dmp

Filesize
304KB

Download
memory/916-182-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/916-187-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/916-145-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/916-146-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/916-148-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/916-147-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/916-149-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/916-150-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/916-156-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/916-161-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/916-169-0x0000000006A80000-0x0000000006A9A000-memory.dmp

Filesize
104KB

Download
memory/916-162-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/916-168-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/916-184-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/916-167-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1340-195-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1340-305-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1340-300-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1340-197-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1340-194-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1340-193-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1340-189-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1340-298-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1488-629-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2408-244-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/2408-266-0x00000000004E0000-0x0000000000566000-memory.dmp

Filesize
536KB

Download
memory/2568-243-0x0000000000D10000-0x0000000000DC8000-memory.dmp

Filesize
736KB

Download
memory/3116-144-0x0000000074F40000-0x0000000074F79000-memory.dmp

Filesize
228KB

Download
memory/3408-180-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3408-111-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/3408-178-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/3408-131-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3408-122-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/3816-647-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/4052-92-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/4052-137-0x0000000006600000-0x00000000067EC000-memory.dmp

Filesize
1.9MB

Download
memory/4052-172-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4052-84-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/4052-88-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4052-83-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/4052-91-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4052-192-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/4052-103-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4052-58-0x00000000001E0000-0x00000000003F8000-memory.dmp

Filesize
2.1MB

Download
memory/4052-166-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/4052-141-0x00000000067F0000-0x000000000683C000-memory.dmp

Filesize
304KB

Download
memory/4336-135-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/4412-269-0x0000000000140000-0x00000000001C8000-memory.dmp

Filesize
544KB

Download
memory/4412-270-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/4864-256-0x0000000005120000-0x0000000005126000-memory.dmp

Filesize
24KB

Download
memory/4864-242-0x0000000000970000-0x0000000000A6A000-memory.dmp

Filesize
1000KB

Download
memory/4864-230-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/4888-176-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4888-143-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/5044-177-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/5044-113-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/5044-124-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/5044-179-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/5064-134-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/5064-80-0x00000000007F0000-0x0000000000828000-memory.dmp

Filesize
224KB

Download
memory/5064-85-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/5064-87-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/5064-90-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/5072-116-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/5072-56-0x0000000073BA0000-0x0000000074350000-memory.dmp

Filesize
7.7MB

Download
memory/5072-43-0x0000000000E20000-0x0000000000E4C000-memory.dmp

Filesize
176KB

Download
memory/6432-615-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/6740-481-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-477-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-485-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-483-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-480-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-494-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-597-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6740-593-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6960-521-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6960-513-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6972-544-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/7064-528-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/7064-557-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/7084-547-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/7084-542-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/7084-567-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/7084-570-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/7084-535-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/7084-530-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/7100-562-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/7100-549-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download