asyncrat | d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe
Size

4.1MB
MD5

2a9bf696f1af170e0e1b5ede752a1578
SHA1

96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
SHA256

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
SHA512

8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
SSDEEP

98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd

Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+june1-newcrt 2024+june111-newcrt new-july-july4-0 new-july-july4-02 evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

2024+June111-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-TF0M80E

Attributes

gencode
FStELhsGExZX
install
false
offline_keylogger
false
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc5rc5ex77777

Attributes

delay
5
install
true
install_file
audiodvs.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+June1-newcrt

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-62B5ZW6

Attributes

InstallPath
word.exe
gencode
T8Q4ENhuqy1g
install
true
offline_keylogger
false
password
hhhhhh
persistence
true
reg_key
word

Extracted

Family

babylonrat

dgorijan20785.hopto.org

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

win_sv88778sl

Attributes

delay
5000
install_path
temp
port
4488
startup_name
logons

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

sms73E8.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe"	sms73E8.tmp

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms72A0.tmp	family_asyncrat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5608-442-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5608-445-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5216-463-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5216-466-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4928-488-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4928-489-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 5 IoCs

Processes:

sms6C37.tmpsms73E8.tmpInstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms6C37.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	sms73E8.tmp
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sms73E8.tmpAUDIOPT.EXEDRVVIDEO.EXEsms72A0.tmpAUDIOPT.EXEWINPLAY.EXEWINCPUL.EXEADOBESERV.EXEEDGEN.EXEWINLOGONL.EXEWINCPUL.EXEADOBESERV.EXEWINPLAY.EXEWINLOGONL.EXEwintsklt.exesms6C37.tmpWRAR.EXEDRVVIDEO.EXEWINPLAY.EXEwintskl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sms73E8.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sms72A0.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EDGEN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sms6C37.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WRAR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wintskl.exe

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Executes dropped EXE 46 IoCs

Processes:

sms6C37.tmpEDGEN.EXEUSBDRV.EXEWINLISTS.EXEWINNOTE.EXEWRAR.EXEsms72A0.tmpsms73E8.tmpword.exesms7947.tmpviewpdf.exeaudiodvs.exeADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEEDGEN.EXEWINPLAY.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEEDGEN.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEEDGEN.EXEWINCPUL.EXEAUDIOPT.EXEAUDIOPT.EXEAUDIOPT.EXEDRVVIDEO.EXEwintsklt.exeWINPLAY.EXEWINLOGONL.EXEWINLOGONL.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEDRVVIDEO.EXEWINLOGONL.EXEWINLOGONL.EXEwintskl.exewintsklt.exewintsklt.exewintskl.exe

pid	process
5012	sms6C37.tmp
4360	EDGEN.EXE
1652	USBDRV.EXE
3976	WINLISTS.EXE
2108	WINNOTE.EXE
3480	WRAR.EXE
2216	sms72A0.tmp
1840	sms73E8.tmp
4468	word.exe
1256	sms7947.tmp
4104	viewpdf.exe
2768	audiodvs.exe
1416	ADOBESERV.EXE
3572	AUDIOPT.EXE
2312	DRVVIDEO.EXE
1984	WINCPUL.EXE
4804	WINLOGONL.EXE
1748	EDGEN.EXE
380	WINPLAY.EXE
4984	ADOBESERV.EXE
3684	AUDIOPT.EXE
3064	DRVVIDEO.EXE
1888	EDGEN.EXE
4332	WINCPUL.EXE
4108	WINLOGONL.EXE
3184	WINPLAY.EXE
5752	EDGEN.EXE
5608	WINCPUL.EXE
5880	AUDIOPT.EXE
6012	AUDIOPT.EXE
6068	AUDIOPT.EXE
5216	DRVVIDEO.EXE
6124	wintsklt.exe
5404	WINPLAY.EXE
5864	WINLOGONL.EXE
4928	WINLOGONL.EXE
2896	AUDIOPT.EXE
5848	WINCPUL.EXE
2956	WINPLAY.EXE
2948	DRVVIDEO.EXE
3340	WINLOGONL.EXE
60	WINLOGONL.EXE
756	wintskl.exe
5368	wintsklt.exe
5888	wintsklt.exe
5704	wintskl.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sms6C37.tmp	upx
behavioral2/memory/5012-9-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/5012-10-0x0000000000400000-0x000000000089A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\sms73E8.tmp	upx
behavioral2/memory/1840-81-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4468-153-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/1840-177-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/5012-187-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4468-190-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/5012-199-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4468-203-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4896-208-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/4896-210-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/4896-207-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/4896-316-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/4896-315-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/5012-365-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4468-433-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/5012-434-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4468-435-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/5012-437-0x0000000000400000-0x000000000089A000-memory.dmp	upx
behavioral2/memory/4468-438-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/6068-454-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6068-453-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6068-451-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6068-458-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6068-459-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5240-472-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5240-473-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5240-475-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5240-471-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sms73E8.tmpWINLOGONL.EXEADOBESERV.EXEDRVVIDEO.EXEsms7947.tmpviewpdf.exeWRAR.EXEAUDIOPT.EXEDRVVIDEO.EXEword.exeAUDIOPT.EXEWINLOGONL.EXEADOBESERV.EXEWINCPUL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	sms73E8.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	sms7947.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	viewpdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	WRAR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	word.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE

Suspicious use of SetThreadContext 17 IoCs

Processes:

WRAR.EXEEDGEN.EXEEDGEN.EXEWINCPUL.EXEAUDIOPT.EXEDRVVIDEO.EXEADOBESERV.EXEWINPLAY.EXEWINLOGONL.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 3480 set thread context of 4896	3480	WRAR.EXE	InstallUtil.exe
PID 4360 set thread context of 1748	4360	EDGEN.EXE	EDGEN.EXE
PID 1888 set thread context of 5752	1888	EDGEN.EXE	EDGEN.EXE
PID 1984 set thread context of 5608	1984	WINCPUL.EXE	WINCPUL.EXE
PID 3572 set thread context of 6068	3572	AUDIOPT.EXE	AUDIOPT.EXE
PID 2312 set thread context of 5216	2312	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 1416 set thread context of 5240	1416	ADOBESERV.EXE	InstallUtil.exe
PID 380 set thread context of 5404	380	WINPLAY.EXE	WINPLAY.EXE
PID 4804 set thread context of 4928	4804	WINLOGONL.EXE	WINLOGONL.EXE
PID 3684 set thread context of 2896	3684	AUDIOPT.EXE	AUDIOPT.EXE
PID 4332 set thread context of 5848	4332	WINCPUL.EXE	WINCPUL.EXE
PID 3184 set thread context of 2956	3184	WINPLAY.EXE	WINPLAY.EXE
PID 4984 set thread context of 5140	4984	ADOBESERV.EXE	InstallUtil.exe
PID 3064 set thread context of 2948	3064	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 4108 set thread context of 60	4108	WINLOGONL.EXE	WINLOGONL.EXE
PID 6124 set thread context of 5888	6124	wintsklt.exe	wintsklt.exe
PID 756 set thread context of 5704	756	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

904 schtasks.exe
5348 schtasks.exe
5852 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3836 timeout.exe
4476 timeout.exe
Modifies registry class 1 IoCs

Processes:

sms73E8.tmp

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ sms73E8.tmp
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
904	schtasks.exe
5348	schtasks.exe
5852	schtasks.exe

pid	process
3836	timeout.exe
4476	timeout.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	sms73E8.tmp

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesms72A0.tmpWRAR.EXEaudiodvs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4828	powershell.exe
4828	powershell.exe
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
2216	sms72A0.tmp
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
3480	WRAR.EXE
2768	audiodvs.exe
2768	audiodvs.exe
1544	powershell.exe
1544	powershell.exe
4488	powershell.exe
4488	powershell.exe
1860	powershell.exe
1860	powershell.exe
4764	powershell.exe
4764	powershell.exe
2260	powershell.exe
2260	powershell.exe
1080	powershell.exe
1080	powershell.exe
4612	powershell.exe
4612	powershell.exe
5068	powershell.exe
5068	powershell.exe
768	powershell.exe
768	powershell.exe
5064	powershell.exe
5064	powershell.exe
8	powershell.exe
8	powershell.exe
4488	powershell.exe
4488	powershell.exe
1544	powershell.exe
1544	powershell.exe
1636	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

viewpdf.exeInstallUtil.exe

pid process

4104 viewpdf.exe
5240 InstallUtil.exe

pid	process
4104	viewpdf.exe
5240	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sms6C37.tmpsms73E8.tmpword.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5012	sms6C37.tmp
Token: SeSecurityPrivilege	5012	sms6C37.tmp
Token: SeTakeOwnershipPrivilege	5012	sms6C37.tmp
Token: SeLoadDriverPrivilege	5012	sms6C37.tmp
Token: SeSystemProfilePrivilege	5012	sms6C37.tmp
Token: SeSystemtimePrivilege	5012	sms6C37.tmp
Token: SeProfSingleProcessPrivilege	5012	sms6C37.tmp
Token: SeIncBasePriorityPrivilege	5012	sms6C37.tmp
Token: SeCreatePagefilePrivilege	5012	sms6C37.tmp
Token: SeBackupPrivilege	5012	sms6C37.tmp
Token: SeRestorePrivilege	5012	sms6C37.tmp
Token: SeShutdownPrivilege	5012	sms6C37.tmp
Token: SeDebugPrivilege	5012	sms6C37.tmp
Token: SeSystemEnvironmentPrivilege	5012	sms6C37.tmp
Token: SeChangeNotifyPrivilege	5012	sms6C37.tmp
Token: SeRemoteShutdownPrivilege	5012	sms6C37.tmp
Token: SeUndockPrivilege	5012	sms6C37.tmp
Token: SeManageVolumePrivilege	5012	sms6C37.tmp
Token: SeImpersonatePrivilege	5012	sms6C37.tmp
Token: SeCreateGlobalPrivilege	5012	sms6C37.tmp
Token: 33	5012	sms6C37.tmp
Token: 34	5012	sms6C37.tmp
Token: 35	5012	sms6C37.tmp
Token: 36	5012	sms6C37.tmp
Token: SeIncreaseQuotaPrivilege	1840	sms73E8.tmp
Token: SeSecurityPrivilege	1840	sms73E8.tmp
Token: SeTakeOwnershipPrivilege	1840	sms73E8.tmp
Token: SeLoadDriverPrivilege	1840	sms73E8.tmp
Token: SeSystemProfilePrivilege	1840	sms73E8.tmp
Token: SeSystemtimePrivilege	1840	sms73E8.tmp
Token: SeProfSingleProcessPrivilege	1840	sms73E8.tmp
Token: SeIncBasePriorityPrivilege	1840	sms73E8.tmp
Token: SeCreatePagefilePrivilege	1840	sms73E8.tmp
Token: SeBackupPrivilege	1840	sms73E8.tmp
Token: SeRestorePrivilege	1840	sms73E8.tmp
Token: SeShutdownPrivilege	1840	sms73E8.tmp
Token: SeDebugPrivilege	1840	sms73E8.tmp
Token: SeSystemEnvironmentPrivilege	1840	sms73E8.tmp
Token: SeChangeNotifyPrivilege	1840	sms73E8.tmp
Token: SeRemoteShutdownPrivilege	1840	sms73E8.tmp
Token: SeUndockPrivilege	1840	sms73E8.tmp
Token: SeManageVolumePrivilege	1840	sms73E8.tmp
Token: SeImpersonatePrivilege	1840	sms73E8.tmp
Token: SeCreateGlobalPrivilege	1840	sms73E8.tmp
Token: 33	1840	sms73E8.tmp
Token: 34	1840	sms73E8.tmp
Token: 35	1840	sms73E8.tmp
Token: 36	1840	sms73E8.tmp
Token: SeIncreaseQuotaPrivilege	4468	word.exe
Token: SeSecurityPrivilege	4468	word.exe
Token: SeTakeOwnershipPrivilege	4468	word.exe
Token: SeLoadDriverPrivilege	4468	word.exe
Token: SeSystemProfilePrivilege	4468	word.exe
Token: SeSystemtimePrivilege	4468	word.exe
Token: SeProfSingleProcessPrivilege	4468	word.exe
Token: SeIncBasePriorityPrivilege	4468	word.exe
Token: SeCreatePagefilePrivilege	4468	word.exe
Token: SeBackupPrivilege	4468	word.exe
Token: SeRestorePrivilege	4468	word.exe
Token: SeShutdownPrivilege	4468	word.exe
Token: SeDebugPrivilege	4468	word.exe
Token: SeSystemEnvironmentPrivilege	4468	word.exe
Token: SeChangeNotifyPrivilege	4468	word.exe
Token: SeRemoteShutdownPrivilege	4468	word.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

viewpdf.exeInstallUtil.exeAUDIOPT.EXEInstallUtil.exe

pid process

4104 viewpdf.exe
4896 InstallUtil.exe
6068 AUDIOPT.EXE
5240 InstallUtil.exe

pid	process
4104	viewpdf.exe
4896	InstallUtil.exe
6068	AUDIOPT.EXE
5240	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exesms6C37.tmpWINLISTS.EXEUSBDRV.EXEsms73E8.tmpWRAR.EXEWINNOTE.EXEword.exe

description	pid	process	target process
PID 3940 wrote to memory of 5012	3940	d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	sms6C37.tmp
PID 3940 wrote to memory of 5012	3940	d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	sms6C37.tmp
PID 3940 wrote to memory of 5012	3940	d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	sms6C37.tmp
PID 5012 wrote to memory of 4360	5012	sms6C37.tmp	EDGEN.EXE
PID 5012 wrote to memory of 4360	5012	sms6C37.tmp	EDGEN.EXE
PID 5012 wrote to memory of 4360	5012	sms6C37.tmp	EDGEN.EXE
PID 5012 wrote to memory of 1652	5012	sms6C37.tmp	USBDRV.EXE
PID 5012 wrote to memory of 1652	5012	sms6C37.tmp	USBDRV.EXE
PID 5012 wrote to memory of 3976	5012	sms6C37.tmp	WINLISTS.EXE
PID 5012 wrote to memory of 3976	5012	sms6C37.tmp	WINLISTS.EXE
PID 5012 wrote to memory of 2108	5012	sms6C37.tmp	WINNOTE.EXE
PID 5012 wrote to memory of 2108	5012	sms6C37.tmp	WINNOTE.EXE
PID 5012 wrote to memory of 3480	5012	sms6C37.tmp	WRAR.EXE
PID 5012 wrote to memory of 3480	5012	sms6C37.tmp	WRAR.EXE
PID 5012 wrote to memory of 3480	5012	sms6C37.tmp	WRAR.EXE
PID 3976 wrote to memory of 2216	3976	WINLISTS.EXE	sms72A0.tmp
PID 3976 wrote to memory of 2216	3976	WINLISTS.EXE	sms72A0.tmp
PID 1652 wrote to memory of 1840	1652	USBDRV.EXE	sms73E8.tmp
PID 1652 wrote to memory of 1840	1652	USBDRV.EXE	sms73E8.tmp
PID 1652 wrote to memory of 1840	1652	USBDRV.EXE	sms73E8.tmp
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 3384	1840	sms73E8.tmp	notepad.exe
PID 1840 wrote to memory of 4468	1840	sms73E8.tmp	word.exe
PID 1840 wrote to memory of 4468	1840	sms73E8.tmp	word.exe
PID 1840 wrote to memory of 4468	1840	sms73E8.tmp	word.exe
PID 3480 wrote to memory of 4828	3480	WRAR.EXE	powershell.exe
PID 3480 wrote to memory of 4828	3480	WRAR.EXE	powershell.exe
PID 3480 wrote to memory of 4828	3480	WRAR.EXE	powershell.exe
PID 2108 wrote to memory of 1256	2108	WINNOTE.EXE	sms7947.tmp
PID 2108 wrote to memory of 1256	2108	WINNOTE.EXE	sms7947.tmp
PID 2108 wrote to memory of 1256	2108	WINNOTE.EXE	sms7947.tmp
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe
PID 4468 wrote to memory of 4860	4468	word.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe
"C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\sms6C37.tmp
  "C:\Users\Admin\AppData\Local\Temp\sms6C37.tmp"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
    "C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
      "C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"
        6⤵
        Executes dropped EXE
        
        PID:5752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5484.tmp" /F
        7⤵
        Creates scheduled task(s)
        
        PID:5348
- - C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
    "C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\sms73E8.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms73E8.tmp"
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:3384
    - - C:\Users\Admin\Documents\word.exe
        
        "C:\Users\Admin\Documents\word.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:4860
- - C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\sms72A0.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms72A0.tmp"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2216
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.bat""
        5⤵
        
        PID:3824
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3836
      - C:\Users\Admin\AppData\Roaming\audiodvs.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodvs.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
- - C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\sms7947.tmp
      "C:\Users\Admin\AppData\Local\Temp\sms7947.tmp"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1256
    - - C:\ProgramData\pdfview\viewpdf.exe
        
        "C:\ProgramData\pdfview\viewpdf.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4104
- - C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
    "C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:1016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:4092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Drops file in Drivers directory
      Suspicious use of SetWindowsHookEx
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1416
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Executes dropped EXE
        
        PID:5880
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Executes dropped EXE
        
        PID:6012
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2312
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        
        PID:5608
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        "C:\Users\Admin\Documents\wintsklt.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        8⤵
        
        PID:868
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Users\Admin\Documents\wintsklt.exe
        
        C:\Users\Admin\Documents\wintsklt.exe
        8⤵
        Executes dropped EXE
        
        PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4804
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:5864
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:380
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C6C.tmp.bat""
        7⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        "C:\Users\Admin\AppData\Roaming\wintskl.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        9⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        
        C:\Users\Admin\AppData\Roaming\wintskl.exe
        9⤵
        Executes dropped EXE
        
        PID:5704
    - - C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3684
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        
        C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3064
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        
        C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
        6⤵
        Executes dropped EXE
        
        PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4332
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
      - C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
        6⤵
        Executes dropped EXE
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        7⤵
        
        PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4108
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:3340
      - C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
        6⤵
        Executes dropped EXE
        
        PID:60
    - - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3184
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
      - C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
        6⤵
        Executes dropped EXE
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESERV.EXE.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EDGEN.EXE.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
36d124c57713227ba09b5f4c6735813c

SHA1
7c7f1df21486c2311d0b5cdf498db8f709de04ed

SHA256
b3a7d9ae297b18c1e451eb21e76055b7db5f889cad25a5eb5752f730490fd431

SHA512
7eb16a0a092473e71e9e451f8d6bc46ae037b0692be3cf02393b5eb7df392211039a0db0cc23305d8460c02f505bd4cbaaaca4745cf937fc4a9d1d32edb08b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
54796f9e8097106e361ae0bfff598255

SHA1
78705390c8947d92d33a2ecce43c42cc46525bee

SHA256
1b5155a1133b09b14c97731dbe888087036b12e77d50f5e4e4840cb27f306858

SHA512
e5b978e43a019e1ccdbb170978f36aa0b3b55abcd62488ca11a16ddc7327c013ddf832b7b4ee7484ae2cf841529d2240c6655d08d1e85aae50f324203943a8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
eb1db32c00231655c255784e84add63e

SHA1
c4359f39f03d10b0b1b5b2452732b46e549a60bd

SHA256
fe1ac532c5bb68aebd83d307a725dc30121a14b18cc7edf724f26cd4ba3a443b

SHA512
432401539b00a84caaa7016371fa0d938705f66d95f736269ba1e646d3960ba39e2c0511013f7b29bcec0be35e53ae929f406db9eb02faf565c86ada39acd16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
34f9a8a116d47e8f2fc9edd2683c308a

SHA1
30c9ff86a8cc4d5a8d5a08290a04c73c66a7301a

SHA256
ba0696525dac8a0a60fb916dbbf93c3f7191ddeaf43001149ddb83bcffa99949

SHA512
7da06dbbf748284e9d7b58ad4651decec52f734057520f55993777fdb3dc8de67908b481b31e80a2ea209d4e4eeb06acdcdce05a1ac007aa72ae374176bce8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
79a11bd02fe229a5d5ea34b4e3a4b159

SHA1
ff701125db8483d14e60fbbccdb0fd2aee2d0e4e

SHA256
ec462ae143d9c7c2727b8b158b5942d9802ac43e8a92f66238de22f16f78a746

SHA512
fa83500b61c0489573ae5edeec678f978c378d7d4a71cc8091e0055ff4d32c3f77caa064348f4455b9760e08852d60e69e35eebfdacd59d9e928a7d152beec28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE

Filesize
272KB

MD5
f15e71a4533bed5e3d3a79f6b73862a6

SHA1
f1007480f2924e6b35d96b65e6cc0fdee6edb07c

SHA256
63b57bcc9105ace9e2dc463a160c5a7c4d2b22f17229a0c9b5c58454a42d7a89

SHA512
31dbdd945a121d8b8408be150d336a98f04f9dd1df5505d79c61d404aeff61d92d0eaaa973d34c2aaff95280c00431d26198a2ee3ec616c1edce9dca8624e99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

Filesize
421KB

MD5
be6c7a291d10a15274a0613a3d7d373d

SHA1
e9a7d7ee40f875b5f6b2a5ae85825f5f1b510011

SHA256
13f76dc27178fc55f0a9dc756e894195683668d1592f399eab4399825abbdcec

SHA512
5b40578a08b0b44b27ad27cda6d2aafb3ec51b209b0c16f4bfdf589131b36770b738c0278870c5d57fc0daadf9638ded25362363a12ceff1c932afb6c4301bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE

Filesize
177KB

MD5
e4cee8675eb9bee518fceb46df6b0171

SHA1
e7a4d534e4fe3930d34178d1e50866201dd9f4dd

SHA256
dbe3e996ba14398b16753ce4be959bde4fb308e0e81c1a24c1632560b4e8396a

SHA512
612a02353ba58f0649ccb89a10ef87ab72968734301c8e97f5c69631177dffbd29b03bcab30e44706dcd7103bdc1f735935012fed5dd219e13fe7ed9bae46205

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE

Filesize
850KB

MD5
adc072db38c95f07ba096def8010ec23

SHA1
97470255c4075752e4e0f120847107ed9bad60f8

SHA256
f20d872a03c3a41b240d03b30ad8417e841e5bcfb659bd2ad863a02e215e22f4

SHA512
bec583fa431c13443238db3cec8f555914df682666ae5cf8b7151401728ab26dcc1431d4bb903c5e56f9e26cdd06c8e777eba267549bbf7da1e09688822cb4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRAR.EXE

Filesize
2.1MB

MD5
d047d98c07f60feceabedb071932b56a

SHA1
ceb1a880d36ad0c79d75081c6004c4820d18c16d

SHA256
16991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355

SHA512
6438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skudot3p.r4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms6C37.tmp

Filesize
3.8MB

MD5
03813d38cc7820f9c68f6764e477bd68

SHA1
ef02c9634f6d7a17a66d78dcc98f6154971d1e73

SHA256
572cf83b14d8eb05be377d4cc8ad6196c9994f815a2ff47cfee2d68219d83c4d

SHA512
1d17f353e3c0adccae832fffbc4d189e7b1b9868f5f4410205e53796387a9f1fe5c7a87bde1546fc022eb671b68ceb7fb67da59846a4dc880dcf230aeb50edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms72A0.tmp

Filesize
46KB

MD5
10b549c788d008fc48cccac97d0d41f5

SHA1
f0c723bb0c9123875a1a208e3ec46f4ec4108be0

SHA256
589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9

SHA512
bc7f033012190ba6ccc2c76c4d32a1814bb4960d209d39edf5960f27b51f3e448b4ae0d26c8b68f3239eb499abfdc1bea2324fc3d7841ea1521c5f0c42f4df88

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms73E8.tmp

Filesize
283KB

MD5
02ea195dd67861f845f7fd66af7a0599

SHA1
e9b9e4a8fb39b838c4ffd7321f26b53eff9aca73

SHA256
df4fa66d72e0dec0ad47af48f25e8fe0e9cf2361ba19340b014e871f418ff207

SHA512
d198baa7a8f20922ef63d34504b0cbfe1dfefb4b72d7763063480699ae4184e1d48e7dd64ddb6f18414c508ce6e80085e42a86daea5ea678a8942b3b628de8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms7947.tmp

Filesize
733KB

MD5
e071c8ee33d217c10b415c30365e608b

SHA1
91e6cecaa37634d500db49536876cbc9ecb09683

SHA256
835c2a9f31f166d13dd4db17b76a4731194214566e7a39df674afa292feef6b8

SHA512
17b5f6229a74fb85af3aec28768f1be072ae99e5f2596fca7737e91e525bdf67865caa906f3c4c6eadfaa4df9a1aee7a1adc3effa72fa1cc68bbc8e41daba960

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp.bat

Filesize
152B

MD5
8b6cfb3a2b80376bacfb0a30f6906212

SHA1
c2318f8542d4897a2239f2491afade311efa4c29

SHA256
5ab9845577a0fc74abcd535844e98a631c64bcaf01149e0275c7ea9de974a5b2

SHA512
3eb2ed8b03eef240354bef135dd6e1e6edb0bfbfcf8dc0b31c6283bd0141966902889f9ddc73eb9aca0b37ddc73b6dc88d092274b3b01ed124a8d1243d84ed2e

Download Submit
C:\Users\Admin\AppData\Roaming\audiodvs.exe

Filesize
44.8MB

MD5
1b43c71e4b662565d78bcf403a785b85

SHA1
b4964cdf3cf23fe607c32029f217532d869c1719

SHA256
2fbaeff04fe7f160687d51e0f72dccb990e1ae665b51c90bcea51967ef11d73e

SHA512
103d794dabf80b4a3bd7d01ca962b515179b260a19e2a1633e6d9819168857ce34d34e219a820c93b17f2660d8b992ffe7276d04dadbb90675529fe84dd1f274

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/380-295-0x0000000000610000-0x000000000068C000-memory.dmp

Filesize
496KB

Download
memory/380-312-0x00000000055B0000-0x0000000005600000-memory.dmp

Filesize
320KB

Download
memory/544-527-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1416-286-0x0000000006E00000-0x0000000006EA2000-memory.dmp

Filesize
648KB

Download
memory/1416-254-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download
memory/1416-247-0x0000000000BB0000-0x0000000000CAA000-memory.dmp

Filesize
1000KB

Download
memory/1652-59-0x000000000051A000-0x000000000051B000-memory.dmp

Filesize
4KB

Download
memory/1652-180-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/1652-35-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/1652-60-0x0000000000400000-0x00000000005A1130-memory.dmp

Filesize
1.6MB

Download
memory/1724-524-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/1748-284-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1840-81-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1840-177-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1984-275-0x00000000007C0000-0x0000000000848000-memory.dmp

Filesize
544KB

Download
memory/1984-296-0x00000000066F0000-0x000000000674C000-memory.dmp

Filesize
368KB

Download
memory/2108-161-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2108-58-0x0000000000400000-0x000000000074F018-memory.dmp

Filesize
3.3MB

Download
memory/2216-74-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/2312-267-0x0000000000930000-0x00000000009B6000-memory.dmp

Filesize
536KB

Download
memory/2312-291-0x00000000055F0000-0x000000000564C000-memory.dmp

Filesize
368KB

Download
memory/3384-87-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3480-64-0x0000000000240000-0x000000000046A000-memory.dmp

Filesize
2.2MB

Download
memory/3480-72-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/3480-137-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/3480-67-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download
memory/3480-88-0x0000000006650000-0x000000000683C000-memory.dmp

Filesize
1.9MB

Download
memory/3572-253-0x0000000000330000-0x00000000003E8000-memory.dmp

Filesize
736KB

Download
memory/3572-283-0x0000000005E00000-0x0000000005E88000-memory.dmp

Filesize
544KB

Download
memory/3940-2-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/3940-4-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/3940-80-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/3940-148-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/3940-3-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/3940-0-0x0000000000400000-0x0000000001432240-memory.dmp

Filesize
16.2MB

Download
memory/3940-1-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/3976-189-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/3976-43-0x0000000000400000-0x00000000004B0574-memory.dmp

Filesize
705KB

Download
memory/4360-55-0x0000000000A00000-0x0000000000A4A000-memory.dmp

Filesize
296KB

Download
memory/4360-63-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/4360-269-0x0000000005620000-0x000000000563E000-memory.dmp

Filesize
120KB

Download
memory/4360-53-0x0000000072C9E000-0x0000000072C9F000-memory.dmp

Filesize
4KB

Download
memory/4360-76-0x0000000005540000-0x00000000055B6000-memory.dmp

Filesize
472KB

Download
memory/4360-260-0x00000000055C0000-0x00000000055EE000-memory.dmp

Filesize
184KB

Download
memory/4360-65-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/4468-153-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4468-433-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4468-203-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4468-190-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4468-435-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4468-438-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4488-323-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/4488-421-0x00000000068D0000-0x000000000691C000-memory.dmp

Filesize
304KB

Download
memory/4804-297-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4804-288-0x0000000000270000-0x00000000002F6000-memory.dmp

Filesize
536KB

Download
memory/4828-178-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-171-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4828-162-0x0000000002B30000-0x0000000002B66000-memory.dmp

Filesize
216KB

Download
memory/4828-182-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/4828-165-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4828-181-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/4828-185-0x0000000006650000-0x000000000666A000-memory.dmp

Filesize
104KB

Download
memory/4828-163-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/4828-184-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/4828-164-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/4860-154-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4896-315-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4896-316-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4896-208-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4896-210-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4896-207-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/4928-488-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4928-489-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5012-365-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5012-9-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5012-10-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5012-199-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5012-187-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5012-434-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5012-437-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/5216-463-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5216-466-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5240-475-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5240-471-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5240-472-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5240-473-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5404-485-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5404-532-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/5608-442-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5608-445-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6068-454-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6068-459-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6068-458-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6068-451-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6068-453-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download