Analysis Overview

score

10^/10

SHA256

65351e13cea23ec8e910fe0f7a10c286033e330eeec1c09c77242f3f4e1518d0

Threat Level: Known bad

The file 2a9bf696f1af170e0e1b5ede752a1578.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat babylonrat darkcomet warzonerat xenorat 2024+june1-newcrt 2024+june111-newcrt evasion infostealer persistence rat trojan upx new-july-july4-0 new-july-july4-02

Babylon RAT

WarzoneRat, AveMaria

XenorRat

AsyncRat

Darkcomet

Modifies WinLogon for persistence

Warzone RAT payload

Async RAT payload

Disables Task Manager via registry modification

Drops file in Drivers directory

UPX packed file

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

NTFS ADS

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

System Information Discovery

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:34

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:34

Reported

2024-07-04 17:09

Platform

win7-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe"

Signatures

AsyncRat

rat asyncrat

Babylon RAT

trojan babylonrat

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe"	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

XenorRat

trojan rat xenorat

Async RAT payload

rat

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	N/A
N/A	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
N/A	N/A	C:\Users\Admin\Documents\word.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\audiodvs.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\Documents\wintsklt.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wintskl.exe	N/A
N/A	N/A	C:\Users\Admin\Documents\wintsklt.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wintskl.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wintskl.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	C:\ProgramData\pdfview\viewpdf.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	C:\Users\Admin\Documents\word.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A

Suspicious use of SetThreadContext

Enumerates physical storage devices

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

NTFS ADS

Description	Indicator	Process	Target
File created	C:\Users\Admin\Documents\Documents:ApplicationData	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\audiodvs.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeChangeNotifyPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeChangeNotifyPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	N/A
Token: SeTcbPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
Token: SeDebugPrivilege	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
Token: SeTcbPrivilege	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1548 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp
PID 1548 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp
PID 1548 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp
PID 1548 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp
PID 2484 wrote to memory of 1832	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2484 wrote to memory of 1832	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2484 wrote to memory of 1832	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2484 wrote to memory of 1832	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2484 wrote to memory of 2744	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2484 wrote to memory of 2744	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2484 wrote to memory of 2744	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2484 wrote to memory of 2744	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2484 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2484 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2484 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2484 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2484 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2484 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2484 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2484 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2616 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp
PID 2616 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp
PID 2616 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	C:\Users\Admin\AppData\Local\Temp\sms479B.tmp
PID 2484 wrote to memory of 2196	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2484 wrote to memory of 2196	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2484 wrote to memory of 2196	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2484 wrote to memory of 2196	N/A	C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2744 wrote to memory of 1192	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp
PID 2744 wrote to memory of 1192	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp
PID 2744 wrote to memory of 1192	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp
PID 2744 wrote to memory of 1192	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp
PID 2548 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp
PID 2548 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp
PID 2548 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp
PID 2548 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 1192 wrote to memory of 2416	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Windows\SysWOW64\notepad.exe
PID 2580 wrote to memory of 2408	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 2580 wrote to memory of 2408	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 2580 wrote to memory of 2408	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 2580 wrote to memory of 2408	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 1192 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Users\Admin\Documents\word.exe
PID 1192 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Users\Admin\Documents\word.exe
PID 1192 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Users\Admin\Documents\word.exe
PID 1192 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\sms4894.tmp	C:\Users\Admin\Documents\word.exe
PID 1488 wrote to memory of 800	N/A	C:\Users\Admin\Documents\word.exe	C:\Windows\SysWOW64\notepad.exe
PID 1488 wrote to memory of 800	N/A	C:\Users\Admin\Documents\word.exe	C:\Windows\SysWOW64\notepad.exe
PID 1488 wrote to memory of 800	N/A	C:\Users\Admin\Documents\word.exe	C:\Windows\SysWOW64\notepad.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe

"C:\Users\Admin\AppData\Local\Temp\d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f.exe"

C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp

"C:\Users\Admin\AppData\Local\Temp\sms44EC.tmp"

C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE

"C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"

C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"

C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE

"C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"

C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE

"C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"

C:\Users\Admin\AppData\Local\Temp\sms479B.tmp

"C:\Users\Admin\AppData\Local\Temp\sms479B.tmp"

C:\Users\Admin\AppData\Local\Temp\WRAR.EXE

"C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"

C:\Users\Admin\AppData\Local\Temp\sms4894.tmp

"C:\Users\Admin\AppData\Local\Temp\sms4894.tmp"

C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp

"C:\Users\Admin\AppData\Local\Temp\sms4B04.tmp"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\ProgramData\pdfview\viewpdf.exe

"C:\ProgramData\pdfview\viewpdf.exe"

C:\Users\Admin\Documents\word.exe

"C:\Users\Admin\Documents\word.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DDE.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\audiodvs.exe

"C:\Users\Admin\AppData\Roaming\audiodvs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"