asyncrat | 0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b

General

Target

093bc49ab25cc6a20d95155db80f1fa8.exe
Size

753KB
MD5

093bc49ab25cc6a20d95155db80f1fa8
SHA1

b1ed1ffa34d4e909e30e8a3a299a22d5101380e1
SHA256

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
SHA512

bec9a628e91f16cd4bdfcda85f30a447ab2e817acdfcee307187cb2d5aaff32eb3fa3b659f810aca40290f97ff59122873d60e3fe9988d2195da0b6cb0870722
SSDEEP

12288:mUvKFtlyYqn58iP23JOcXYkrCQNkfCVvd487NYe3VqiYT6K3ifW+Janl:glyY058i0OuIQNkfCb4IV2iW+Janl

Score

10^/10

asyncrat darkcomet 2024+may3333-newcrt persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+May3333-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-M4P4YFY

Attributes

InstallPath
rar.exe
gencode
jSEma97mAgP2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
winrar

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex778899

Attributes

delay
5
install
true
install_file
audiodrvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms9DB6.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\rar.exe"	sms9DB6.tmp

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\smsA3DD.tmp	family_asyncrat

Drops file in Drivers directory 1 IoCs

Processes:

sms9DB6.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts sms9DB6.tmp
Executes dropped EXE 7 IoCs

Processes:

sms9DB6.tmpCHROMEL.EXEPRINTSERV.EXEsmsA3DD.tmprar.exePRINTSERV.EXEaudiodrvs.exe

pid process

2892 sms9DB6.tmp
2552 CHROMEL.EXE
2792 PRINTSERV.EXE
2964 smsA3DD.tmp
2404 rar.exe
2836 PRINTSERV.EXE
2252 audiodrvs.exe
Loads dropped DLL 7 IoCs

Processes:

sms9DB6.tmpPRINTSERV.EXE

pid process

2892 sms9DB6.tmp
2892 sms9DB6.tmp
2892 sms9DB6.tmp
2656
2892 sms9DB6.tmp
2892 sms9DB6.tmp
2792 PRINTSERV.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms9DB6.tmp

pid	process
2892	sms9DB6.tmp
2552	CHROMEL.EXE
2792	PRINTSERV.EXE
2964	smsA3DD.tmp
2404	rar.exe
2836	PRINTSERV.EXE
2252	audiodrvs.exe

pid	process
2892	sms9DB6.tmp
2892	sms9DB6.tmp
2892	sms9DB6.tmp
2656
2892	sms9DB6.tmp
2892	sms9DB6.tmp
2792	PRINTSERV.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms9DB6.tmp	upx
behavioral1/memory/2892-13-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2892-14-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2404-85-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2892-96-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2404-102-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2404-113-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral1/memory/2404-118-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sms9DB6.tmprar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	sms9DB6.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1208 schtasks.exe
808 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2924 timeout.exe

pid	process
1208	schtasks.exe
808	schtasks.exe

pid	process
2924	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PRINTSERV.EXEsmsA3DD.tmpaudiodrvs.exe

pid	process
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2964	smsA3DD.tmp
2964	smsA3DD.tmp
2964	smsA3DD.tmp
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2252	audiodrvs.exe
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE
2836	PRINTSERV.EXE

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

sms9DB6.tmprar.exesmsA3DD.tmpPRINTSERV.EXEaudiodrvs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2892	sms9DB6.tmp
Token: SeSecurityPrivilege	2892	sms9DB6.tmp
Token: SeTakeOwnershipPrivilege	2892	sms9DB6.tmp
Token: SeLoadDriverPrivilege	2892	sms9DB6.tmp
Token: SeSystemProfilePrivilege	2892	sms9DB6.tmp
Token: SeSystemtimePrivilege	2892	sms9DB6.tmp
Token: SeProfSingleProcessPrivilege	2892	sms9DB6.tmp
Token: SeIncBasePriorityPrivilege	2892	sms9DB6.tmp
Token: SeCreatePagefilePrivilege	2892	sms9DB6.tmp
Token: SeBackupPrivilege	2892	sms9DB6.tmp
Token: SeRestorePrivilege	2892	sms9DB6.tmp
Token: SeShutdownPrivilege	2892	sms9DB6.tmp
Token: SeDebugPrivilege	2892	sms9DB6.tmp
Token: SeSystemEnvironmentPrivilege	2892	sms9DB6.tmp
Token: SeChangeNotifyPrivilege	2892	sms9DB6.tmp
Token: SeRemoteShutdownPrivilege	2892	sms9DB6.tmp
Token: SeUndockPrivilege	2892	sms9DB6.tmp
Token: SeManageVolumePrivilege	2892	sms9DB6.tmp
Token: SeImpersonatePrivilege	2892	sms9DB6.tmp
Token: SeCreateGlobalPrivilege	2892	sms9DB6.tmp
Token: 33	2892	sms9DB6.tmp
Token: 34	2892	sms9DB6.tmp
Token: 35	2892	sms9DB6.tmp
Token: SeIncreaseQuotaPrivilege	2404	rar.exe
Token: SeSecurityPrivilege	2404	rar.exe
Token: SeTakeOwnershipPrivilege	2404	rar.exe
Token: SeLoadDriverPrivilege	2404	rar.exe
Token: SeSystemProfilePrivilege	2404	rar.exe
Token: SeSystemtimePrivilege	2404	rar.exe
Token: SeProfSingleProcessPrivilege	2404	rar.exe
Token: SeIncBasePriorityPrivilege	2404	rar.exe
Token: SeCreatePagefilePrivilege	2404	rar.exe
Token: SeBackupPrivilege	2404	rar.exe
Token: SeRestorePrivilege	2404	rar.exe
Token: SeShutdownPrivilege	2404	rar.exe
Token: SeDebugPrivilege	2404	rar.exe
Token: SeSystemEnvironmentPrivilege	2404	rar.exe
Token: SeChangeNotifyPrivilege	2404	rar.exe
Token: SeRemoteShutdownPrivilege	2404	rar.exe
Token: SeUndockPrivilege	2404	rar.exe
Token: SeManageVolumePrivilege	2404	rar.exe
Token: SeImpersonatePrivilege	2404	rar.exe
Token: SeCreateGlobalPrivilege	2404	rar.exe
Token: 33	2404	rar.exe
Token: 34	2404	rar.exe
Token: 35	2404	rar.exe
Token: SeDebugPrivilege	2964	smsA3DD.tmp
Token: SeDebugPrivilege	2836	PRINTSERV.EXE
Token: SeDebugPrivilege	2252	audiodrvs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rar.exe

pid process

2404 rar.exe

pid	process
2404	rar.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

093bc49ab25cc6a20d95155db80f1fa8.exesms9DB6.tmpCHROMEL.EXEPRINTSERV.EXEPRINTSERV.EXEsmsA3DD.tmpcmd.exe

description	pid	process	target process
PID 2504 wrote to memory of 2892	2504	093bc49ab25cc6a20d95155db80f1fa8.exe	sms9DB6.tmp
PID 2504 wrote to memory of 2892	2504	093bc49ab25cc6a20d95155db80f1fa8.exe	sms9DB6.tmp
PID 2504 wrote to memory of 2892	2504	093bc49ab25cc6a20d95155db80f1fa8.exe	sms9DB6.tmp
PID 2504 wrote to memory of 2892	2504	093bc49ab25cc6a20d95155db80f1fa8.exe	sms9DB6.tmp
PID 2892 wrote to memory of 2552	2892	sms9DB6.tmp	CHROMEL.EXE
PID 2892 wrote to memory of 2552	2892	sms9DB6.tmp	CHROMEL.EXE
PID 2892 wrote to memory of 2552	2892	sms9DB6.tmp	CHROMEL.EXE
PID 2892 wrote to memory of 2552	2892	sms9DB6.tmp	CHROMEL.EXE
PID 2892 wrote to memory of 2792	2892	sms9DB6.tmp	PRINTSERV.EXE
PID 2892 wrote to memory of 2792	2892	sms9DB6.tmp	PRINTSERV.EXE
PID 2892 wrote to memory of 2792	2892	sms9DB6.tmp	PRINTSERV.EXE
PID 2892 wrote to memory of 2792	2892	sms9DB6.tmp	PRINTSERV.EXE
PID 2552 wrote to memory of 2964	2552	CHROMEL.EXE	smsA3DD.tmp
PID 2552 wrote to memory of 2964	2552	CHROMEL.EXE	smsA3DD.tmp
PID 2552 wrote to memory of 2964	2552	CHROMEL.EXE	smsA3DD.tmp
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2432	2892	sms9DB6.tmp	notepad.exe
PID 2892 wrote to memory of 2404	2892	sms9DB6.tmp	rar.exe
PID 2892 wrote to memory of 2404	2892	sms9DB6.tmp	rar.exe
PID 2892 wrote to memory of 2404	2892	sms9DB6.tmp	rar.exe
PID 2892 wrote to memory of 2404	2892	sms9DB6.tmp	rar.exe
PID 2792 wrote to memory of 2836	2792	PRINTSERV.EXE	PRINTSERV.EXE
PID 2792 wrote to memory of 2836	2792	PRINTSERV.EXE	PRINTSERV.EXE
PID 2792 wrote to memory of 2836	2792	PRINTSERV.EXE	PRINTSERV.EXE
PID 2792 wrote to memory of 2836	2792	PRINTSERV.EXE	PRINTSERV.EXE
PID 2836 wrote to memory of 1208	2836	PRINTSERV.EXE	schtasks.exe
PID 2836 wrote to memory of 1208	2836	PRINTSERV.EXE	schtasks.exe
PID 2836 wrote to memory of 1208	2836	PRINTSERV.EXE	schtasks.exe
PID 2836 wrote to memory of 1208	2836	PRINTSERV.EXE	schtasks.exe
PID 2964 wrote to memory of 808	2964	smsA3DD.tmp	schtasks.exe
PID 2964 wrote to memory of 808	2964	smsA3DD.tmp	schtasks.exe
PID 2964 wrote to memory of 808	2964	smsA3DD.tmp	schtasks.exe
PID 2964 wrote to memory of 2608	2964	smsA3DD.tmp	cmd.exe
PID 2964 wrote to memory of 2608	2964	smsA3DD.tmp	cmd.exe
PID 2964 wrote to memory of 2608	2964	smsA3DD.tmp	cmd.exe
PID 2608 wrote to memory of 2924	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 2924	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 2924	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 2252	2608	cmd.exe	audiodrvs.exe
PID 2608 wrote to memory of 2252	2608	cmd.exe	audiodrvs.exe
PID 2608 wrote to memory of 2252	2608	cmd.exe	audiodrvs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\093bc49ab25cc6a20d95155db80f1fa8.exe
"C:\Users\Admin\AppData\Local\Temp\093bc49ab25cc6a20d95155db80f1fa8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\sms9DB6.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms9DB6.tmp"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
    "C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\smsA3DD.tmp
      "C:\Users\Admin\AppData\Local\Temp\smsA3DD.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrvs.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:808
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2924
      - C:\Users\Admin\AppData\Roaming\audiodrvs.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodrvs.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
- - C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
    "C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBECD.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1208
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2432
- - C:\Users\Admin\Documents\rar.exe
    "C:\Users\Admin\Documents\rar.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE

Filesize
184KB

MD5
f6062ddb9cc2fad6e403b8b9dbe02df7

SHA1
efebcabb3902cdcc7b789786d96db2a93156b81a

SHA256
61309415bb524bba3d6065cf5df5ce2031ddde239c7f7864d0d2eaf31597a96c

SHA512
3d2473fd09d5d0a4a0f463ed84522165254880a6f94491b5c9a21fbbd39df4579980184fd838f75b3ad6457065c818c536447ae18c97eac29146cd8be5883040

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE

Filesize
408KB

MD5
b8eaef2339ba6bfac3648df30d041a95

SHA1
0833419f0da847383c0031611c69a87baa8f2d6d

SHA256
6ce2b4a0e176126f0899223eace35c31b544e46a2067b0ecf0adf8d06f87309d

SHA512
c265a39039c9dd8237fb10c26066ff7247babc727a556919f7673311dee1d38c3a52a2cf83e54f148401b984495b4e5636b8254388376e96f0a4e9a40cba6613

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms9DB6.tmp

Filesize
595KB

MD5
89feeb6ec82c704b1771bfa2536bd401

SHA1
2ae958b6e74986696e412e313b5f0aee3756ba19

SHA256
9765068707da158f492b48d5628b3b6cc93dc34dd402d57c0b4ced60701e0b9a

SHA512
9ef8c9c1c9795cf4451dd577c2292171c7dccb9aa24447dff72de9e886e604638b32f637ba8e19cfc86c377fed7a97c56336a62f7edd6130d4a8b928f5bf0484

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsA3DD.tmp

Filesize
46KB

MD5
194de251c043183099b2d6f7f5d1e09f

SHA1
dc477dfc0e090e8d7bd31fb808f59060dd2cf360

SHA256
12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6

SHA512
6a1433b9bc070f18f60c3f115a1173e8979d211f6e97daf3fc7fe13f05ab15123874919418fc014fdd8af62c82426cb091b867b36a49fe7fc8fe929709b3a433

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBECD.tmp

Filesize
1KB

MD5
db5e3f14b64ed69affa1389010cd445e

SHA1
752719617c787dbb741cfd4e8a608dd2f578d4c9

SHA256
eaeea05441cdf6ec90fd034de26b0108920f2d625f308497ebe7c05be8b69cc4

SHA512
8ee07a3e1684fb72852ad954b985db0d5a3931be5037a1fa8cb62677401d52042d80a80f27e1692edfef1d9f15b1d0cb8b8633b0414727cd775b04c4bb5e7fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.bat

Filesize
153B

MD5
f0ba6e0e38087415cf4ae81474fdb8cb

SHA1
439e0b0f7d3ae293e851acf870ca4b86ac65d30e

SHA256
ddb9dfd387d76bba5f949f6a5bb3872c374272daa5290446861f62070e01a4e2

SHA512
13f059f89c6456c61391034d435887e63aa63022a539d3e03b712a4d9a3292ece566ab4c0fa13f4d5a1d27c401566e875d66641fda46f2db5ab3a681d5ba3678

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrvs.exe

Filesize
39.3MB

MD5
acdb5067fdd132a6cf0ec2fbb9d763dc

SHA1
10f4d475c35b3b896d2b078f074ca604b4bd56bc

SHA256
01b1c5f6aba65008545ab3f9dc5aa90225299211823a2ec86a1377e7f1612eee

SHA512
701678d672920fd5983e426ec4a98656240f26174faa7750db67a53e8fe51c8fa2ae3d39ecd6e3de662c3aca27c8634a8384e0c1e02322db9aefed6221177f19

Download Submit
memory/2252-117-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2404-102-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2404-85-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2404-113-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2404-118-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2432-70-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2432-41-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2504-6-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2504-5-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2504-0-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2504-3-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2504-2-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2504-4-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2504-1-0x00000000006BD000-0x00000000006BE000-memory.dmp

Filesize
4KB

Download
memory/2552-38-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/2552-101-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/2792-86-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2792-73-0x0000000000C70000-0x0000000000CDE000-memory.dmp

Filesize
440KB

Download
memory/2836-94-0x0000000001140000-0x00000000011AE000-memory.dmp

Filesize
440KB

Download
memory/2892-96-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2892-82-0x0000000005200000-0x000000000535B000-memory.dmp

Filesize
1.4MB

Download
memory/2892-83-0x0000000005200000-0x000000000535B000-memory.dmp

Filesize
1.4MB

Download
memory/2892-35-0x0000000003500000-0x00000000035E1000-memory.dmp

Filesize
900KB

Download
memory/2892-37-0x0000000003500000-0x00000000035E1000-memory.dmp

Filesize
900KB

Download
memory/2892-14-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2892-13-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2964-72-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads