asyncrat | d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a9bf696f1af170e0e1b5ede752a1578.exe
Size

4.1MB
MD5

2a9bf696f1af170e0e1b5ede752a1578
SHA1

96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
SHA256

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
SHA512

8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
SSDEEP

98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+june1-newcrt 2024+june111-newcrt new-july-july4-0 new-july-july4-02 evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+June111-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-TF0M80E

Attributes

gencode
FStELhsGExZX
install
false
offline_keylogger
false
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc5rc5ex77777

Attributes

delay
5
install
true
install_file
audiodvs.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+June1-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-62B5ZW6

Attributes

InstallPath
word.exe
gencode
T8Q4ENhuqy1g
install
true
offline_keylogger
false
password
hhhhhh
persistence
true
reg_key
word

Extracted

Family

babylonrat

dgorijan20785.hopto.org

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

win_sv88778sl

Attributes

delay
5000
install_path
temp
port
4488
startup_name
logons

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms68AD.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe"	sms68AD.tmp

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms67E2.tmp	family_asyncrat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3092-451-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3092-448-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2964-497-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2964-498-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6088-514-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6088-516-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 5 IoCs

Processes:

sms61F6.tmpsms68AD.tmpInstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms61F6.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms68AD.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINCPUL.EXEAUDIOPT.EXEEDGEN.EXEWINLOGONL.EXEWINCPUL.EXEADOBESERV.EXEwintskl.exeWRAR.EXEsms68AD.tmpsms67E2.tmpWINPLAY.EXEDRVVIDEO.EXEwintsklt.exesms61F6.tmpAUDIOPT.EXEDRVVIDEO.EXEWINPLAY.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EDGEN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WRAR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sms68AD.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sms67E2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sms61F6.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 49 IoCs

Processes:

sms61F6.tmpEDGEN.EXEUSBDRV.EXEWINLISTS.EXEWINNOTE.EXEWRAR.EXEsms67E2.tmpsms68AD.tmpword.exesms6F54.tmpviewpdf.exeaudiodvs.exeADOBESERV.EXEAUDIOPT.EXEEDGEN.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEEDGEN.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEEDGEN.EXEDRVVIDEO.EXEWINPLAY.EXEWINPLAY.EXEAUDIOPT.EXEAUDIOPT.EXEAUDIOPT.EXEWINCPUL.EXEWINCPUL.EXEWINCPUL.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINLOGONL.EXEWINLOGONL.EXEWINPLAY.EXEWINLOGONL.EXEWINLOGONL.EXEwintsklt.exewintskl.exewintsklt.exewintsklt.exewintsklt.exewintskl.exe

pid	process
2776	sms61F6.tmp
5116	EDGEN.EXE
4800	USBDRV.EXE
4216	WINLISTS.EXE
2876	WINNOTE.EXE
4816	WRAR.EXE
5012	sms67E2.tmp
3180	sms68AD.tmp
3916	word.exe
1096	sms6F54.tmp
4964	viewpdf.exe
1424	audiodvs.exe
4784	ADOBESERV.EXE
1604	AUDIOPT.EXE
1580	EDGEN.EXE
4748	DRVVIDEO.EXE
1864	WINCPUL.EXE
3268	WINLOGONL.EXE
4392	WINPLAY.EXE
3440	EDGEN.EXE
4272	ADOBESERV.EXE
3648	AUDIOPT.EXE
1736	DRVVIDEO.EXE
1520	WINCPUL.EXE
2956	WINLOGONL.EXE
5040	WINPLAY.EXE
6080	EDGEN.EXE
3092	DRVVIDEO.EXE
4408	WINPLAY.EXE
5148	WINPLAY.EXE
4992	AUDIOPT.EXE
3440	AUDIOPT.EXE
5776	AUDIOPT.EXE
2964	WINCPUL.EXE
6092	WINCPUL.EXE
6052	WINCPUL.EXE
5296	DRVVIDEO.EXE
2076	DRVVIDEO.EXE
768	WINLOGONL.EXE
6088	WINLOGONL.EXE
1852	WINPLAY.EXE
6124	WINLOGONL.EXE
5016	WINLOGONL.EXE
5452	wintsklt.exe
3684	wintskl.exe
5908	wintsklt.exe
640	wintsklt.exe
1596	wintsklt.exe
3868	wintskl.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms61F6.tmp	upx
behavioral2/memory/2776-9-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/2776-12-0x0000000000400000-0x000000000089A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\sms68AD.tmp	upx
behavioral2/memory/3180-81-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/3916-159-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/3180-178-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2776-188-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/3916-191-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2776-200-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/2288-209-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2288-210-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2288-212-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2288-320-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2288-319-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2288-318-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2776-435-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/3916-436-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2776-442-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/3916-445-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/1480-455-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-457-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-458-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-459-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-462-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-460-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-466-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1480-465-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4992-482-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4992-483-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4992-479-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4992-492-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4992-491-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WINCPUL.EXEword.exeAUDIOPT.EXEWINLOGONL.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEsms68AD.tmpsms6F54.tmpviewpdf.exeWRAR.EXEDRVVIDEO.EXEAUDIOPT.EXEADOBESERV.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	word.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	sms68AD.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	sms6F54.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	viewpdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WRAR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE

Suspicious use of SetThreadContext 17 IoCs

Processes:

WRAR.EXEEDGEN.EXEEDGEN.EXEDRVVIDEO.EXEADOBESERV.EXEWINPLAY.EXEAUDIOPT.EXEAUDIOPT.EXEWINCPUL.EXEADOBESERV.EXEWINCPUL.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEWINLOGONL.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 4816 set thread context of 2288	4816	WRAR.EXE	InstallUtil.exe
PID 5116 set thread context of 1580	5116	EDGEN.EXE	EDGEN.EXE
PID 3440 set thread context of 6080	3440	EDGEN.EXE	EDGEN.EXE
PID 4748 set thread context of 3092	4748	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 4784 set thread context of 1480	4784	ADOBESERV.EXE	InstallUtil.exe
PID 4392 set thread context of 5148	4392	WINPLAY.EXE	WINPLAY.EXE
PID 1604 set thread context of 4992	1604	AUDIOPT.EXE	AUDIOPT.EXE
PID 3648 set thread context of 5776	3648	AUDIOPT.EXE	AUDIOPT.EXE
PID 1864 set thread context of 2964	1864	WINCPUL.EXE	WINCPUL.EXE
PID 4272 set thread context of 1252	4272	ADOBESERV.EXE	InstallUtil.exe
PID 1520 set thread context of 6052	1520	WINCPUL.EXE	WINCPUL.EXE
PID 1736 set thread context of 2076	1736	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 3268 set thread context of 6088	3268	WINLOGONL.EXE	WINLOGONL.EXE
PID 5040 set thread context of 1852	5040	WINPLAY.EXE	WINPLAY.EXE
PID 2956 set thread context of 5016	2956	WINLOGONL.EXE	WINLOGONL.EXE
PID 5452 set thread context of 1596	5452	wintsklt.exe	wintsklt.exe
PID 3684 set thread context of 3868	3684	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5060 schtasks.exe
1600 schtasks.exe
5140 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3112 timeout.exe
1828 timeout.exe
Modifies registry class 1 IoCs

Processes:

sms68AD.tmp

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sms68AD.tmp
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
5060	schtasks.exe
1600	schtasks.exe
5140	schtasks.exe

pid	process
3112	timeout.exe
1828	timeout.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms68AD.tmp

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesms67E2.tmpWRAR.EXEaudiodvs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
5012	sms67E2.tmp
4816	WRAR.EXE
4816	WRAR.EXE
4816	WRAR.EXE
4816	WRAR.EXE
4816	WRAR.EXE
4816	WRAR.EXE
1424	audiodvs.exe
1424	audiodvs.exe
3036	powershell.exe
3036	powershell.exe
4112	powershell.exe
4112	powershell.exe
4740	powershell.exe
4740	powershell.exe
3096	powershell.exe
3096	powershell.exe
4312	powershell.exe
4312	powershell.exe
2404	powershell.exe
2404	powershell.exe
5116	powershell.exe
5116	powershell.exe
2736	powershell.exe
2736	powershell.exe
5008	powershell.exe
5008	powershell.exe
5168	powershell.exe
5168	powershell.exe
5248	powershell.exe
5248	powershell.exe
5392	powershell.exe
5392	powershell.exe
4112	powershell.exe
4112	powershell.exe
3036	powershell.exe
3036	powershell.exe
3096	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

viewpdf.exeInstallUtil.exe

pid process

4964 viewpdf.exe
1480 InstallUtil.exe

pid	process
4964	viewpdf.exe
1480	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sms61F6.tmpsms68AD.tmpword.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2776	sms61F6.tmp
Token: SeSecurityPrivilege	2776	sms61F6.tmp
Token: SeTakeOwnershipPrivilege	2776	sms61F6.tmp
Token: SeLoadDriverPrivilege	2776	sms61F6.tmp
Token: SeSystemProfilePrivilege	2776	sms61F6.tmp
Token: SeSystemtimePrivilege	2776	sms61F6.tmp
Token: SeProfSingleProcessPrivilege	2776	sms61F6.tmp
Token: SeIncBasePriorityPrivilege	2776	sms61F6.tmp
Token: SeCreatePagefilePrivilege	2776	sms61F6.tmp
Token: SeBackupPrivilege	2776	sms61F6.tmp
Token: SeRestorePrivilege	2776	sms61F6.tmp
Token: SeShutdownPrivilege	2776	sms61F6.tmp
Token: SeDebugPrivilege	2776	sms61F6.tmp
Token: SeSystemEnvironmentPrivilege	2776	sms61F6.tmp
Token: SeChangeNotifyPrivilege	2776	sms61F6.tmp
Token: SeRemoteShutdownPrivilege	2776	sms61F6.tmp
Token: SeUndockPrivilege	2776	sms61F6.tmp
Token: SeManageVolumePrivilege	2776	sms61F6.tmp
Token: SeImpersonatePrivilege	2776	sms61F6.tmp
Token: SeCreateGlobalPrivilege	2776	sms61F6.tmp
Token: 33	2776	sms61F6.tmp
Token: 34	2776	sms61F6.tmp
Token: 35	2776	sms61F6.tmp
Token: 36	2776	sms61F6.tmp
Token: SeIncreaseQuotaPrivilege	3180	sms68AD.tmp
Token: SeSecurityPrivilege	3180	sms68AD.tmp
Token: SeTakeOwnershipPrivilege	3180	sms68AD.tmp
Token: SeLoadDriverPrivilege	3180	sms68AD.tmp
Token: SeSystemProfilePrivilege	3180	sms68AD.tmp
Token: SeSystemtimePrivilege	3180	sms68AD.tmp
Token: SeProfSingleProcessPrivilege	3180	sms68AD.tmp
Token: SeIncBasePriorityPrivilege	3180	sms68AD.tmp
Token: SeCreatePagefilePrivilege	3180	sms68AD.tmp
Token: SeBackupPrivilege	3180	sms68AD.tmp
Token: SeRestorePrivilege	3180	sms68AD.tmp
Token: SeShutdownPrivilege	3180	sms68AD.tmp
Token: SeDebugPrivilege	3180	sms68AD.tmp
Token: SeSystemEnvironmentPrivilege	3180	sms68AD.tmp
Token: SeChangeNotifyPrivilege	3180	sms68AD.tmp
Token: SeRemoteShutdownPrivilege	3180	sms68AD.tmp
Token: SeUndockPrivilege	3180	sms68AD.tmp
Token: SeManageVolumePrivilege	3180	sms68AD.tmp
Token: SeImpersonatePrivilege	3180	sms68AD.tmp
Token: SeCreateGlobalPrivilege	3180	sms68AD.tmp
Token: 33	3180	sms68AD.tmp
Token: 34	3180	sms68AD.tmp
Token: 35	3180	sms68AD.tmp
Token: 36	3180	sms68AD.tmp
Token: SeIncreaseQuotaPrivilege	3916	word.exe
Token: SeSecurityPrivilege	3916	word.exe
Token: SeTakeOwnershipPrivilege	3916	word.exe
Token: SeLoadDriverPrivilege	3916	word.exe
Token: SeSystemProfilePrivilege	3916	word.exe
Token: SeSystemtimePrivilege	3916	word.exe
Token: SeProfSingleProcessPrivilege	3916	word.exe
Token: SeIncBasePriorityPrivilege	3916	word.exe
Token: SeCreatePagefilePrivilege	3916	word.exe
Token: SeBackupPrivilege	3916	word.exe
Token: SeRestorePrivilege	3916	word.exe
Token: SeShutdownPrivilege	3916	word.exe
Token: SeDebugPrivilege	3916	word.exe
Token: SeSystemEnvironmentPrivilege	3916	word.exe
Token: SeChangeNotifyPrivilege	3916	word.exe
Token: SeRemoteShutdownPrivilege	3916	word.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

viewpdf.exeInstallUtil.exeInstallUtil.exeAUDIOPT.EXE

pid process

4964 viewpdf.exe
2288 InstallUtil.exe
1480 InstallUtil.exe
4992 AUDIOPT.EXE

pid	process
4964	viewpdf.exe
2288	InstallUtil.exe
1480	InstallUtil.exe
4992	AUDIOPT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a9bf696f1af170e0e1b5ede752a1578.exesms61F6.tmpWINLISTS.EXEUSBDRV.EXEsms68AD.tmpWINNOTE.EXEWRAR.EXEword.exe

description	pid	process	target process
PID 2888 wrote to memory of 2776	2888	2a9bf696f1af170e0e1b5ede752a1578.exe	sms61F6.tmp
PID 2888 wrote to memory of 2776	2888	2a9bf696f1af170e0e1b5ede752a1578.exe	sms61F6.tmp
PID 2888 wrote to memory of 2776	2888	2a9bf696f1af170e0e1b5ede752a1578.exe	sms61F6.tmp
PID 2776 wrote to memory of 5116	2776	sms61F6.tmp	EDGEN.EXE
PID 2776 wrote to memory of 5116	2776	sms61F6.tmp	EDGEN.EXE
PID 2776 wrote to memory of 5116	2776	sms61F6.tmp	EDGEN.EXE
PID 2776 wrote to memory of 4800	2776	sms61F6.tmp	USBDRV.EXE
PID 2776 wrote to memory of 4800	2776	sms61F6.tmp	USBDRV.EXE
PID 2776 wrote to memory of 4216	2776	sms61F6.tmp	WINLISTS.EXE
PID 2776 wrote to memory of 4216	2776	sms61F6.tmp	WINLISTS.EXE
PID 2776 wrote to memory of 2876	2776	sms61F6.tmp	WINNOTE.EXE
PID 2776 wrote to memory of 2876	2776	sms61F6.tmp	WINNOTE.EXE
PID 2776 wrote to memory of 4816	2776	sms61F6.tmp	WRAR.EXE
PID 2776 wrote to memory of 4816	2776	sms61F6.tmp	WRAR.EXE
PID 2776 wrote to memory of 4816	2776	sms61F6.tmp	WRAR.EXE
PID 4216 wrote to memory of 5012	4216	WINLISTS.EXE	sms67E2.tmp
PID 4216 wrote to memory of 5012	4216	WINLISTS.EXE	sms67E2.tmp
PID 4800 wrote to memory of 3180	4800	USBDRV.EXE	sms68AD.tmp
PID 4800 wrote to memory of 3180	4800	USBDRV.EXE	sms68AD.tmp
PID 4800 wrote to memory of 3180	4800	USBDRV.EXE	sms68AD.tmp
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3316	3180	sms68AD.tmp	notepad.exe
PID 3180 wrote to memory of 3916	3180	sms68AD.tmp	word.exe
PID 3180 wrote to memory of 3916	3180	sms68AD.tmp	word.exe
PID 3180 wrote to memory of 3916	3180	sms68AD.tmp	word.exe
PID 2876 wrote to memory of 1096	2876	WINNOTE.EXE	sms6F54.tmp
PID 2876 wrote to memory of 1096	2876	WINNOTE.EXE	sms6F54.tmp
PID 2876 wrote to memory of 1096	2876	WINNOTE.EXE	sms6F54.tmp
PID 4816 wrote to memory of 4116	4816	WRAR.EXE	powershell.exe
PID 4816 wrote to memory of 4116	4816	WRAR.EXE	powershell.exe
PID 4816 wrote to memory of 4116	4816	WRAR.EXE	powershell.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe
PID 3916 wrote to memory of 2868	3916	word.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe
"C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\sms61F6.tmp
"C:\Users\Admin\AppData\Local\Temp\sms61F6.tmp"
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
"C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5116

C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
"C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
"C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3440

C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
"C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
6⤵
- Executes dropped EXE
PID:6080

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp467A.tmp" /F
7⤵
- Creates scheduled task(s)
PID:1600

C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\sms68AD.tmp
"C:\Users\Admin\AppData\Local\Temp\sms68AD.tmp"
4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:3316

C:\Users\Admin\Documents\word.exe
"C:\Users\Admin\Documents\word.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\sms67E2.tmp
"C:\Users\Admin\AppData\Local\Temp\sms67E2.tmp"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'
5⤵
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAE6.tmp.bat""
5⤵
PID:3612

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:3112

C:\Users\Admin\AppData\Roaming\audiodvs.exe
"C:\Users\Admin\AppData\Roaming\audiodvs.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
"C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\sms6F54.tmp
"C:\Users\Admin\AppData\Local\Temp\sms6F54.tmp"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1096

C:\ProgramData\pdfview\viewpdf.exe
"C:\ProgramData\pdfview\viewpdf.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
"C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
6⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
PID:2964

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
PID:5496

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
8⤵
- Executes dropped EXE
PID:5908

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
8⤵
- Executes dropped EXE
PID:640

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
8⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
9⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
6⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
6⤵
- Executes dropped EXE
PID:6088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
6⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5148

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
7⤵
- Creates scheduled task(s)
PID:5140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EEF.tmp.bat""
7⤵
PID:5024

C:\Windows\SysWOW64\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:1828

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
9⤵
PID:5256

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
9⤵
- Executes dropped EXE
PID:3868

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
6⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5776

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5168

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
6⤵
- Executes dropped EXE
PID:5296

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
6⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
6⤵
- Executes dropped EXE
PID:6092

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
6⤵
- Executes dropped EXE
PID:6052

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5392

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
6⤵
- Executes dropped EXE
PID:6124

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
6⤵
- Executes dropped EXE
PID:5016

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5248

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
6⤵
- Executes dropped EXE
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EDGEN.EXE.log
Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINPLAY.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
7513303282d8007314430777c290ea7c

SHA1
ce2cf7f0fafe67127ef1e37c12cb49662a13ed92

SHA256
8a13b47682ecb3d0ed09612562bd1be4ec0e05efe9688477750eb1cd86f41c8f

SHA512
85629f68a84fd2d61fded491333b7dce6013231cdc9db70cce96cc3a225382884607c6b917994f0e2706d056318ef932e50ab032b3259a464049e350f1b2c80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
663B

MD5
776881058fdef72f11ffb8a9926b8d67

SHA1
868e0ba7a632d260b4189baf29c13ee04808ef69

SHA256
dcbb1cae9a11de3f69bb8abfb744c73bef4afc744f2bb32ec338e9668ab73508

SHA512
aad7331c10480cb8c9297a49fec5c608463c318b8d6d24f79f733e94ed86de65152d0ec915f7b5917fe32eed4f2c7989bcba5f796d082b2ba2420dba59b10ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
653e28170d1db1053765fec277916c5f

SHA1
910dbf517fa313cdd470d1a4128afe89d5a04152

SHA256
d26cc65b5321dd5a7ccc5b696f2131c19a3651b2499fd536db14fddf54c3bef7

SHA512
8bdc8df17e2544e4199896d75daa018a6cfe4b8b9b319956e206bc62c8f2e9b2f6d13b184dd6e0fb4858b26d5f78b6fabf7a321feca79fec0a97c72bb2698a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
49ee447ea4ca3d8997d6da4671bc8441

SHA1
0e9455c20b6367b397a37ae5969382ab1bbfb2b2

SHA256
b6d4aec344ede0a500b26be4539910fb2a191c4e75649188e7bd2424435d276f

SHA512
39a1e46c712cf031e767efbafc263e75eabfb84883ce8deb71d91760dd52da46890df148b63adf2463ee73bc4bf7c4299b3078ca5fc9427e4143fe9447604382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
612B

MD5
c990bb3a8e3b157178e107f219f7a13b

SHA1
06c2a030c432a033239898346f8fafbfb4d410ca

SHA256
22f09752687ef2d58e0f3eb9a5a54e5dd5ea87beeea27a221456bf82f42604f3

SHA512
eee0dd787550c747739f38f393d7ac88647ae0afc92b089b2f5f57bc64566a199b85f4b4d697f6e4ce4a297b7b599f63e7623306a85af46a189c383cd16f11a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
Filesize
272KB

MD5
f15e71a4533bed5e3d3a79f6b73862a6

SHA1
f1007480f2924e6b35d96b65e6cc0fdee6edb07c

SHA256
63b57bcc9105ace9e2dc463a160c5a7c4d2b22f17229a0c9b5c58454a42d7a89

SHA512
31dbdd945a121d8b8408be150d336a98f04f9dd1df5505d79c61d404aeff61d92d0eaaa973d34c2aaff95280c00431d26198a2ee3ec616c1edce9dca8624e99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
Filesize
421KB

MD5
be6c7a291d10a15274a0613a3d7d373d

SHA1
e9a7d7ee40f875b5f6b2a5ae85825f5f1b510011

SHA256
13f76dc27178fc55f0a9dc756e894195683668d1592f399eab4399825abbdcec

SHA512
5b40578a08b0b44b27ad27cda6d2aafb3ec51b209b0c16f4bfdf589131b36770b738c0278870c5d57fc0daadf9638ded25362363a12ceff1c932afb6c4301bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
Filesize
177KB

MD5
e4cee8675eb9bee518fceb46df6b0171

SHA1
e7a4d534e4fe3930d34178d1e50866201dd9f4dd

SHA256
dbe3e996ba14398b16753ce4be959bde4fb308e0e81c1a24c1632560b4e8396a

SHA512
612a02353ba58f0649ccb89a10ef87ab72968734301c8e97f5c69631177dffbd29b03bcab30e44706dcd7103bdc1f735935012fed5dd219e13fe7ed9bae46205

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
Filesize
850KB

MD5
adc072db38c95f07ba096def8010ec23

SHA1
97470255c4075752e4e0f120847107ed9bad60f8

SHA256
f20d872a03c3a41b240d03b30ad8417e841e5bcfb659bd2ad863a02e215e22f4

SHA512
bec583fa431c13443238db3cec8f555914df682666ae5cf8b7151401728ab26dcc1431d4bb903c5e56f9e26cdd06c8e777eba267549bbf7da1e09688822cb4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zo0orsmr.uyo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms61F6.tmp
Filesize
3.8MB

MD5
03813d38cc7820f9c68f6764e477bd68

SHA1
ef02c9634f6d7a17a66d78dcc98f6154971d1e73

SHA256
572cf83b14d8eb05be377d4cc8ad6196c9994f815a2ff47cfee2d68219d83c4d

SHA512
1d17f353e3c0adccae832fffbc4d189e7b1b9868f5f4410205e53796387a9f1fe5c7a87bde1546fc022eb671b68ceb7fb67da59846a4dc880dcf230aeb50edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms67E2.tmp
Filesize
46KB

MD5
10b549c788d008fc48cccac97d0d41f5

SHA1
f0c723bb0c9123875a1a208e3ec46f4ec4108be0

SHA256
589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9

SHA512
bc7f033012190ba6ccc2c76c4d32a1814bb4960d209d39edf5960f27b51f3e448b4ae0d26c8b68f3239eb499abfdc1bea2324fc3d7841ea1521c5f0c42f4df88

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms68AD.tmp
Filesize
283KB

MD5
02ea195dd67861f845f7fd66af7a0599

SHA1
e9b9e4a8fb39b838c4ffd7321f26b53eff9aca73

SHA256
df4fa66d72e0dec0ad47af48f25e8fe0e9cf2361ba19340b014e871f418ff207

SHA512
d198baa7a8f20922ef63d34504b0cbfe1dfefb4b72d7763063480699ae4184e1d48e7dd64ddb6f18414c508ce6e80085e42a86daea5ea678a8942b3b628de8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms6F54.tmp
Filesize
733KB

MD5
e071c8ee33d217c10b415c30365e608b

SHA1
91e6cecaa37634d500db49536876cbc9ecb09683

SHA256
835c2a9f31f166d13dd4db17b76a4731194214566e7a39df674afa292feef6b8

SHA512
17b5f6229a74fb85af3aec28768f1be072ae99e5f2596fca7737e91e525bdf67865caa906f3c4c6eadfaa4df9a1aee7a1adc3effa72fa1cc68bbc8e41daba960

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAE6.tmp.bat
Filesize
152B

MD5
e252293fc0380e8f511361cfbd4b4872

SHA1
45edc4f1b00ecd9d37c7b928967afed78786f68f

SHA256
b9509eb22dc027511df2096aa4a954b6ffdbcd7ffa861d5e4bb3c97e469278d0

SHA512
e0103dfea901fe7a3d3827555cff002a8238407b1e5aceec06f02816ac49c7efd335fe44e46362920a8ca652090e2c806b4d0757f94fe81a2c95f8af95de22d4

Download Submit
C:\Users\Admin\AppData\Roaming\audiodvs.exe
Filesize
46.6MB

MD5
f0b5815e55b09afbe81ab25270b9b497

SHA1
9c38caab6cb81391039a4ac8d190a1b4aafc98de

SHA256
8dff80d13c5b0d98e868df25ae76fbc56d1756ccada91a1dfd9902ac5e75c1a9

SHA512
9fd89c2e3bb4c498919403f1f613ce9d5d050eff2ba281e5f7abb0dea3e747a8426ef56b801e879fcefad29093cece4189f2c366bd0f75195e147f3f37954363

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/1480-459-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-462-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-457-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-465-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-466-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-464-0x000000006F590000-0x000000006F5C9000-memory.dmp

Filesize
228KB

Download
memory/1480-458-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-460-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1480-455-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1580-251-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1604-292-0x00000000068B0000-0x0000000006938000-memory.dmp

Filesize
544KB

Download
memory/1604-254-0x0000000000940000-0x00000000009F8000-memory.dmp

Filesize
736KB

Download
memory/1864-316-0x0000000005850000-0x00000000058AC000-memory.dmp

Filesize
368KB

Download
memory/1864-303-0x0000000000C90000-0x0000000000D18000-memory.dmp

Filesize
544KB

Download
memory/2288-318-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2288-212-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2288-320-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2288-210-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2288-209-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2288-319-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2776-435-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2776-9-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2776-442-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2776-188-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2776-200-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2776-12-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2868-152-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2876-161-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2876-60-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2888-80-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/2888-1-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/2888-149-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/2888-0-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/2888-2-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/2888-3-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/2964-498-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2964-497-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3036-331-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-451-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3092-448-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3180-81-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3180-178-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3268-314-0x0000000005670000-0x00000000056CA000-memory.dmp

Filesize
360KB

Download
memory/3268-297-0x00000000009B0000-0x0000000000A36000-memory.dmp

Filesize
536KB

Download
memory/3316-87-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3916-445-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3916-436-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3916-191-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3916-159-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-432-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download
memory/4116-165-0x0000000005CF0000-0x0000000005D12000-memory.dmp

Filesize
136KB

Download
memory/4116-185-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/4116-183-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/4116-163-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/4116-186-0x0000000006960000-0x000000000697A000-memory.dmp

Filesize
104KB

Download
memory/4116-182-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/4116-167-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/4116-166-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4116-179-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/4116-164-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/4216-43-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/4216-190-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/4392-294-0x0000000000800000-0x000000000087C000-memory.dmp

Filesize
496KB

Download
memory/4392-311-0x00000000052B0000-0x0000000005300000-memory.dmp

Filesize
320KB

Download
memory/4748-285-0x0000000000410000-0x0000000000496000-memory.dmp

Filesize
536KB

Download
memory/4748-308-0x0000000005010000-0x000000000506C000-memory.dmp

Filesize
368KB

Download
memory/4784-293-0x0000000005A20000-0x0000000005AC2000-memory.dmp

Filesize
648KB

Download
memory/4784-248-0x0000000002E60000-0x0000000002E66000-memory.dmp

Filesize
24KB

Download
memory/4784-247-0x0000000000B00000-0x0000000000BFA000-memory.dmp

Filesize
1000KB

Download
memory/4800-37-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/4800-181-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/4800-61-0x000000000051A000-0x000000000051B000-memory.dmp

Filesize
4KB

Download
memory/4800-62-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/4816-137-0x0000000005630000-0x000000000567C000-memory.dmp

Filesize
304KB

Download
memory/4816-64-0x0000000000450000-0x000000000067A000-memory.dmp

Filesize
2.2MB

Download
memory/4816-88-0x00000000068F0000-0x0000000006ADC000-memory.dmp

Filesize
1.9MB

Download
memory/4816-67-0x00000000028F0000-0x00000000028F6000-memory.dmp

Filesize
24KB

Download
memory/4964-162-0x000000006F250000-0x000000006F289000-memory.dmp

Filesize
228KB

Download
memory/4992-479-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4992-482-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4992-491-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4992-492-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4992-483-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5012-72-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/5116-57-0x0000000000D80000-0x0000000000DCA000-memory.dmp

Filesize
296KB

Download
memory/5116-63-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/5116-44-0x000000007371E000-0x000000007371F000-memory.dmp

Filesize
4KB

Download
memory/5116-65-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/5116-74-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/5116-75-0x0000000005950000-0x00000000059C6000-memory.dmp

Filesize
472KB

Download
memory/5116-224-0x00000000059D0000-0x00000000059EE000-memory.dmp

Filesize
120KB

Download
memory/5116-216-0x0000000005740000-0x000000000576E000-memory.dmp

Filesize
184KB

Download
memory/5148-474-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5148-541-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/6088-514-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6088-516-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download