asyncrat | 0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b

General

Target

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe
Size

753KB
MD5

093bc49ab25cc6a20d95155db80f1fa8
SHA1

b1ed1ffa34d4e909e30e8a3a299a22d5101380e1
SHA256

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
SHA512

bec9a628e91f16cd4bdfcda85f30a447ab2e817acdfcee307187cb2d5aaff32eb3fa3b659f810aca40290f97ff59122873d60e3fe9988d2195da0b6cb0870722
SSDEEP

12288:mUvKFtlyYqn58iP23JOcXYkrCQNkfCVvd487NYe3VqiYT6K3ifW+Janl:glyY058i0OuIQNkfCb4IV2iW+Janl

Score

10^/10

asyncrat darkcomet 2024+may3333-newcrt persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+May3333-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-M4P4YFY

Attributes

InstallPath
rar.exe
gencode
jSEma97mAgP2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
winrar

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex778899

Attributes

delay
5
install
true
install_file
audiodrvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms4323.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\rar.exe"	sms4323.tmp

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4527.tmp	family_asyncrat

Drops file in Drivers directory 1 IoCs

Processes:

sms4323.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts sms4323.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms4323.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sms4527.tmpsms4323.tmpPRINTSERV.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	sms4527.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	sms4323.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	PRINTSERV.EXE

Executes dropped EXE 7 IoCs

Processes:

sms4323.tmpCHROMEL.EXEPRINTSERV.EXEsms4527.tmpPRINTSERV.EXErar.exeaudiodrvs.exe

pid process

4856 sms4323.tmp
4392 CHROMEL.EXE
5052 PRINTSERV.EXE
3644 sms4527.tmp
4388 PRINTSERV.EXE
4936 rar.exe
4376 audiodrvs.exe

pid	process
4856	sms4323.tmp
4392	CHROMEL.EXE
5052	PRINTSERV.EXE
3644	sms4527.tmp
4388	PRINTSERV.EXE
4936	rar.exe
4376	audiodrvs.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms4323.tmp	upx
behavioral2/memory/4856-11-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4856-12-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4856-117-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4936-124-0x0000000000400000-0x000000000055B000-memory.dmp	upx
behavioral2/memory/4936-134-0x0000000000400000-0x000000000055B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sms4323.tmprar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	sms4323.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\rar.exe"	rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4240 schtasks.exe
2200 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4912 timeout.exe
Modifies registry class 1 IoCs

Processes:

sms4323.tmp

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sms4323.tmp

pid	process
4240	schtasks.exe
2200	schtasks.exe

pid	process
4912	timeout.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms4323.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PRINTSERV.EXEsms4527.tmpaudiodrvs.exe

pid	process
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
3644	sms4527.tmp
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4376	audiodrvs.exe
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE
4388	PRINTSERV.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

sms4323.tmprar.exesms4527.tmpPRINTSERV.EXEaudiodrvs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4856	sms4323.tmp
Token: SeSecurityPrivilege	4856	sms4323.tmp
Token: SeTakeOwnershipPrivilege	4856	sms4323.tmp
Token: SeLoadDriverPrivilege	4856	sms4323.tmp
Token: SeSystemProfilePrivilege	4856	sms4323.tmp
Token: SeSystemtimePrivilege	4856	sms4323.tmp
Token: SeProfSingleProcessPrivilege	4856	sms4323.tmp
Token: SeIncBasePriorityPrivilege	4856	sms4323.tmp
Token: SeCreatePagefilePrivilege	4856	sms4323.tmp
Token: SeBackupPrivilege	4856	sms4323.tmp
Token: SeRestorePrivilege	4856	sms4323.tmp
Token: SeShutdownPrivilege	4856	sms4323.tmp
Token: SeDebugPrivilege	4856	sms4323.tmp
Token: SeSystemEnvironmentPrivilege	4856	sms4323.tmp
Token: SeChangeNotifyPrivilege	4856	sms4323.tmp
Token: SeRemoteShutdownPrivilege	4856	sms4323.tmp
Token: SeUndockPrivilege	4856	sms4323.tmp
Token: SeManageVolumePrivilege	4856	sms4323.tmp
Token: SeImpersonatePrivilege	4856	sms4323.tmp
Token: SeCreateGlobalPrivilege	4856	sms4323.tmp
Token: 33	4856	sms4323.tmp
Token: 34	4856	sms4323.tmp
Token: 35	4856	sms4323.tmp
Token: 36	4856	sms4323.tmp
Token: SeIncreaseQuotaPrivilege	4936	rar.exe
Token: SeSecurityPrivilege	4936	rar.exe
Token: SeTakeOwnershipPrivilege	4936	rar.exe
Token: SeLoadDriverPrivilege	4936	rar.exe
Token: SeSystemProfilePrivilege	4936	rar.exe
Token: SeSystemtimePrivilege	4936	rar.exe
Token: SeProfSingleProcessPrivilege	4936	rar.exe
Token: SeIncBasePriorityPrivilege	4936	rar.exe
Token: SeCreatePagefilePrivilege	4936	rar.exe
Token: SeBackupPrivilege	4936	rar.exe
Token: SeRestorePrivilege	4936	rar.exe
Token: SeShutdownPrivilege	4936	rar.exe
Token: SeDebugPrivilege	4936	rar.exe
Token: SeSystemEnvironmentPrivilege	4936	rar.exe
Token: SeChangeNotifyPrivilege	4936	rar.exe
Token: SeRemoteShutdownPrivilege	4936	rar.exe
Token: SeUndockPrivilege	4936	rar.exe
Token: SeManageVolumePrivilege	4936	rar.exe
Token: SeImpersonatePrivilege	4936	rar.exe
Token: SeCreateGlobalPrivilege	4936	rar.exe
Token: 33	4936	rar.exe
Token: 34	4936	rar.exe
Token: 35	4936	rar.exe
Token: 36	4936	rar.exe
Token: SeDebugPrivilege	3644	sms4527.tmp
Token: SeDebugPrivilege	4388	PRINTSERV.EXE
Token: SeDebugPrivilege	4376	audiodrvs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rar.exe

pid process

4936 rar.exe

pid	process
4936	rar.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exesms4323.tmpCHROMEL.EXEPRINTSERV.EXEPRINTSERV.EXEsms4527.tmpcmd.exe

description	pid	process	target process
PID 2316 wrote to memory of 4856	2316	0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe	sms4323.tmp
PID 2316 wrote to memory of 4856	2316	0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe	sms4323.tmp
PID 2316 wrote to memory of 4856	2316	0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe	sms4323.tmp
PID 4856 wrote to memory of 4392	4856	sms4323.tmp	CHROMEL.EXE
PID 4856 wrote to memory of 4392	4856	sms4323.tmp	CHROMEL.EXE
PID 4856 wrote to memory of 5052	4856	sms4323.tmp	PRINTSERV.EXE
PID 4856 wrote to memory of 5052	4856	sms4323.tmp	PRINTSERV.EXE
PID 4856 wrote to memory of 5052	4856	sms4323.tmp	PRINTSERV.EXE
PID 4392 wrote to memory of 3644	4392	CHROMEL.EXE	sms4527.tmp
PID 4392 wrote to memory of 3644	4392	CHROMEL.EXE	sms4527.tmp
PID 5052 wrote to memory of 4388	5052	PRINTSERV.EXE	PRINTSERV.EXE
PID 5052 wrote to memory of 4388	5052	PRINTSERV.EXE	PRINTSERV.EXE
PID 5052 wrote to memory of 4388	5052	PRINTSERV.EXE	PRINTSERV.EXE
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 1860	4856	sms4323.tmp	notepad.exe
PID 4856 wrote to memory of 4936	4856	sms4323.tmp	rar.exe
PID 4856 wrote to memory of 4936	4856	sms4323.tmp	rar.exe
PID 4856 wrote to memory of 4936	4856	sms4323.tmp	rar.exe
PID 4388 wrote to memory of 4240	4388	PRINTSERV.EXE	schtasks.exe
PID 4388 wrote to memory of 4240	4388	PRINTSERV.EXE	schtasks.exe
PID 4388 wrote to memory of 4240	4388	PRINTSERV.EXE	schtasks.exe
PID 3644 wrote to memory of 2200	3644	sms4527.tmp	schtasks.exe
PID 3644 wrote to memory of 2200	3644	sms4527.tmp	schtasks.exe
PID 3644 wrote to memory of 1264	3644	sms4527.tmp	cmd.exe
PID 3644 wrote to memory of 1264	3644	sms4527.tmp	cmd.exe
PID 1264 wrote to memory of 4912	1264	cmd.exe	timeout.exe
PID 1264 wrote to memory of 4912	1264	cmd.exe	timeout.exe
PID 1264 wrote to memory of 4376	1264	cmd.exe	audiodrvs.exe
PID 1264 wrote to memory of 4376	1264	cmd.exe	audiodrvs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe
"C:\Users\Admin\AppData\Local\Temp\0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\sms4323.tmp
"C:\Users\Admin\AppData\Local\Temp\sms4323.tmp"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\sms4527.tmp
"C:\Users\Admin\AppData\Local\Temp\sms4527.tmp"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrvs.exe"'
5⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp856C.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:4912

C:\Users\Admin\AppData\Roaming\audiodrvs.exe
"C:\Users\Admin\AppData\Roaming\audiodrvs.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
"C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE
"C:\Users\Admin\AppData\Local\Temp\XenoManager\PRINTSERV.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5AC2.tmp" /F
5⤵
- Creates scheduled task(s)
PID:4240

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1860

C:\Users\Admin\Documents\rar.exe
"C:\Users\Admin\Documents\rar.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRINTSERV.EXE.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROMEL.EXE
Filesize
184KB

MD5
f6062ddb9cc2fad6e403b8b9dbe02df7

SHA1
efebcabb3902cdcc7b789786d96db2a93156b81a

SHA256
61309415bb524bba3d6065cf5df5ce2031ddde239c7f7864d0d2eaf31597a96c

SHA512
3d2473fd09d5d0a4a0f463ed84522165254880a6f94491b5c9a21fbbd39df4579980184fd838f75b3ad6457065c818c536447ae18c97eac29146cd8be5883040

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRINTSERV.EXE
Filesize
408KB

MD5
b8eaef2339ba6bfac3648df30d041a95

SHA1
0833419f0da847383c0031611c69a87baa8f2d6d

SHA256
6ce2b4a0e176126f0899223eace35c31b544e46a2067b0ecf0adf8d06f87309d

SHA512
c265a39039c9dd8237fb10c26066ff7247babc727a556919f7673311dee1d38c3a52a2cf83e54f148401b984495b4e5636b8254388376e96f0a4e9a40cba6613

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4323.tmp
Filesize
595KB

MD5
89feeb6ec82c704b1771bfa2536bd401

SHA1
2ae958b6e74986696e412e313b5f0aee3756ba19

SHA256
9765068707da158f492b48d5628b3b6cc93dc34dd402d57c0b4ced60701e0b9a

SHA512
9ef8c9c1c9795cf4451dd577c2292171c7dccb9aa24447dff72de9e886e604638b32f637ba8e19cfc86c377fed7a97c56336a62f7edd6130d4a8b928f5bf0484

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms4527.tmp
Filesize
46KB

MD5
194de251c043183099b2d6f7f5d1e09f

SHA1
dc477dfc0e090e8d7bd31fb808f59060dd2cf360

SHA256
12bee16f9692cb9a6d3713543cf998a4f953d0341f4e9c661748faef525d91e6

SHA512
6a1433b9bc070f18f60c3f115a1173e8979d211f6e97daf3fc7fe13f05ab15123874919418fc014fdd8af62c82426cb091b867b36a49fe7fc8fe929709b3a433

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5AC2.tmp
Filesize
1KB

MD5
db5e3f14b64ed69affa1389010cd445e

SHA1
752719617c787dbb741cfd4e8a608dd2f578d4c9

SHA256
eaeea05441cdf6ec90fd034de26b0108920f2d625f308497ebe7c05be8b69cc4

SHA512
8ee07a3e1684fb72852ad954b985db0d5a3931be5037a1fa8cb62677401d52042d80a80f27e1692edfef1d9f15b1d0cb8b8633b0414727cd775b04c4bb5e7fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp856C.tmp.bat
Filesize
153B

MD5
c68fb8e143e12e69f31c83f949175a7d

SHA1
6e5d345c8b70e29529ec5ecfaa421299dba5c14f

SHA256
1e4a420ca8ccb21ffdb9ad22cad9a2addb9346aa83c36ac5d621ab6016e3b2e0

SHA512
13239917866b3a52566be890d556d7ea3deb0f0fccbe3eea2e50c86ade6e3f190fe16c6f7cd7e521696d761cfa65522adbe945cd3767bfa3805674a4f8e10860

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrvs.exe
Filesize
39.8MB

MD5
b66d6b47aafc5403cd9facb85167adc1

SHA1
ecbd2ed963c33db5cfff3ecb53d83df13933c2c2

SHA256
ddca7fa19730a59fc088ca18b24c30e485bf0f324784b8f0c8c588fbf4df0bac

SHA512
8d9a8c9dd3aaf7c42d1876cb5376ebc0d974bb5a9feb8879a18a34d59e1306276a23c251aad04e6e5f8490e570ffcd5a3aaeecd07838b418e9c51593ad0b03e6

Download Submit
memory/1860-58-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2316-118-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2316-3-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2316-1-0x00000000006BB000-0x00000000006BC000-memory.dmp

Filesize
4KB

Download
memory/2316-2-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2316-0-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2316-5-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2316-4-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/2316-6-0x0000000000400000-0x00000000007956B4-memory.dmp

Filesize
3.6MB

Download
memory/3644-43-0x0000000000050000-0x0000000000062000-memory.dmp

Filesize
72KB

Download
memory/4388-122-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4392-123-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/4392-32-0x0000000000400000-0x00000000004E05B0-memory.dmp

Filesize
897KB

Download
memory/4856-117-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4856-12-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4856-11-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4936-124-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4936-134-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/5052-44-0x00000000050C0000-0x00000000050C6000-memory.dmp

Filesize
24KB

Download
memory/5052-38-0x0000000000760000-0x00000000007CE000-memory.dmp

Filesize
440KB

Download
memory/5052-36-0x00000000734DE000-0x00000000734DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads