Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
2a9bf696f1af170e0e1b5ede752a1578.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2a9bf696f1af170e0e1b5ede752a1578.exe
Resource
win10v2004-20240508-en
General
-
Target
2a9bf696f1af170e0e1b5ede752a1578.exe
-
Size
4.1MB
-
MD5
2a9bf696f1af170e0e1b5ede752a1578
-
SHA1
96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
-
SHA256
d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
-
SHA512
8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
-
SSDEEP
98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd
Malware Config
Extracted
darkcomet
2024+June111-newcrt
dgorijan20785.hopto.org:35800
DC_MUTEX-TF0M80E
-
gencode
FStELhsGExZX
-
install
false
-
offline_keylogger
false
-
password
hhhhhh
-
persistence
false
Extracted
asyncrat
0.5.6A
dgorijan20785.hopto.org:6606
dgorijan20785.hopto.org:7707
dgorijan20785.hopto.org:8808
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
v5tvc5rc5ex77777
-
delay
5
-
install
true
-
install_file
audiodvs.exe
-
install_folder
%AppData%
Extracted
darkcomet
2024+June1-newcrt
dgorijan20785.hopto.org:35800
DC_MUTEX-62B5ZW6
-
InstallPath
word.exe
-
gencode
T8Q4ENhuqy1g
-
install
true
-
offline_keylogger
false
-
password
hhhhhh
-
persistence
true
-
reg_key
word
Extracted
xenorat
dgorijan20785.hopto.org
win_sv88778sl
-
delay
5000
-
install_path
temp
-
port
4488
-
startup_name
logons
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe" sms4C6B.tmp -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016caf-69.dat family_asyncrat -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts sms42EA.tmp File opened for modification C:\Windows\system32\drivers\etc\hosts sms4C6B.tmp File opened for modification C:\Windows\system32\drivers\etc\hosts InstallUtil.exe File opened for modification C:\Windows\system32\drivers\etc\hosts AUDIOPT.EXE File opened for modification C:\Windows\system32\drivers\etc\hosts AUDIOPT.EXE -
Executes dropped EXE 58 IoCs
pid Process 2916 sms42EA.tmp 2804 EDGEN.EXE 3060 USBDRV.EXE 2712 WINLISTS.EXE 2616 WINNOTE.EXE 2672 WRAR.EXE 2936 sms4B24.tmp 760 sms4C6B.tmp 800 sms4DF1.tmp 536 viewpdf.exe 572 word.exe 984 audiodvs.exe 2920 AUDIOPT.EXE 3008 ADOBESERV.EXE 2364 DRVVIDEO.EXE 2732 WINCPUL.EXE 2492 WINLOGONL.EXE 2984 WINPLAY.EXE 2172 ADOBESERV.EXE 1732 DRVVIDEO.EXE 2216 WINLOGONL.EXE 2184 AUDIOPT.EXE 348 WINCPUL.EXE 2428 WINPLAY.EXE 1372 EDGEN.EXE 2776 EDGEN.EXE 1296 DRVVIDEO.EXE 1088 WINCPUL.EXE 1836 WINCPUL.EXE 1976 WINCPUL.EXE 1424 WINCPUL.EXE 900 WINCPUL.EXE 1664 WINCPUL.EXE 2212 WINCPUL.EXE 2644 WINCPUL.EXE 1680 WINCPUL.EXE 2652 WINCPUL.EXE 2632 WINPLAY.EXE 1760 WINPLAY.EXE 1800 WINCPUL.EXE 744 WINCPUL.EXE 2452 WINCPUL.EXE 1940 WINCPUL.EXE 2820 WINCPUL.EXE 2328 WINCPUL.EXE 2660 WINCPUL.EXE 2196 AUDIOPT.EXE 2748 WINCPUL.EXE 2612 WINCPUL.EXE 2644 WINCPUL.EXE 1664 WINLOGONL.EXE 2420 DRVVIDEO.EXE 2056 WINLOGONL.EXE 2996 AUDIOPT.EXE 2128 EDGEN.EXE 1616 EDGEN.EXE 2156 wintskl.exe 1080 wintskl.exe -
Loads dropped DLL 59 IoCs
pid Process 2916 sms42EA.tmp 2916 sms42EA.tmp 2916 sms42EA.tmp 2916 sms42EA.tmp 2916 sms42EA.tmp 2916 sms42EA.tmp 2916 sms42EA.tmp 2708 Process not Found 2604 Process not Found 2524 Process not Found 2916 sms42EA.tmp 800 sms4DF1.tmp 760 sms4C6B.tmp 760 sms4C6B.tmp 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2248 InstallUtil.exe 2804 EDGEN.EXE 1372 EDGEN.EXE 2364 DRVVIDEO.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2984 WINPLAY.EXE 2428 WINPLAY.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 348 WINCPUL.EXE 2920 AUDIOPT.EXE 348 WINCPUL.EXE 2216 WINLOGONL.EXE 348 WINCPUL.EXE 1732 DRVVIDEO.EXE 2492 WINLOGONL.EXE 2184 AUDIOPT.EXE 2776 EDGEN.EXE 2776 EDGEN.EXE 532 cmd.exe -
resource yara_rule behavioral1/files/0x000d00000000f845-10.dat upx behavioral1/memory/2916-11-0x0000000000400000-0x000000000089A000-memory.dmp upx behavioral1/memory/2916-16-0x0000000000400000-0x000000000089A000-memory.dmp upx behavioral1/files/0x0009000000016cde-78.dat upx behavioral1/memory/760-79-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/572-179-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/760-185-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2916-193-0x0000000000400000-0x000000000089A000-memory.dmp upx behavioral1/memory/572-363-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\"" AUDIOPT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\"" WINLOGONL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\"" WINLOGONL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe" word.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\"" DRVVIDEO.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\"" AUDIOPT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe" sms4C6B.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe" viewpdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\"" DRVVIDEO.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\"" ADOBESERV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe" sms4DF1.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\"" WRAR.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\"" ADOBESERV.EXE -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2672 set thread context of 2248 2672 WRAR.EXE 53 PID 2804 set thread context of 1372 2804 EDGEN.EXE 91 PID 2364 set thread context of 1296 2364 DRVVIDEO.EXE 95 PID 2984 set thread context of 2632 2984 WINPLAY.EXE 106 PID 2428 set thread context of 1760 2428 WINPLAY.EXE 107 PID 2920 set thread context of 2196 2920 AUDIOPT.EXE 116 PID 2216 set thread context of 1664 2216 WINLOGONL.EXE 118 PID 1732 set thread context of 2420 1732 DRVVIDEO.EXE 121 PID 3008 set thread context of 1748 3008 ADOBESERV.EXE 120 PID 2492 set thread context of 2056 2492 WINLOGONL.EXE 123 PID 2172 set thread context of 2096 2172 ADOBESERV.EXE 122 PID 2184 set thread context of 2996 2184 AUDIOPT.EXE 124 PID 2776 set thread context of 1616 2776 EDGEN.EXE 130 PID 2156 set thread context of 1080 2156 wintskl.exe 141 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 1432 timeout.exe 2216 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 352 schtasks.exe 1788 schtasks.exe 884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1780 powershell.exe 2936 sms4B24.tmp 2936 sms4B24.tmp 2936 sms4B24.tmp 2672 WRAR.EXE 2672 WRAR.EXE 2208 powershell.exe 316 powershell.exe 2568 powershell.exe 480 powershell.exe 800 powershell.exe 2480 powershell.exe 2152 powershell.exe 3060 powershell.exe 2932 powershell.exe 352 powershell.exe 328 powershell.exe 2052 powershell.exe 984 audiodvs.exe 2364 DRVVIDEO.EXE 2364 DRVVIDEO.EXE 2364 DRVVIDEO.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE 2732 WINCPUL.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 536 viewpdf.exe 1748 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2916 sms42EA.tmp Token: SeSecurityPrivilege 2916 sms42EA.tmp Token: SeTakeOwnershipPrivilege 2916 sms42EA.tmp Token: SeLoadDriverPrivilege 2916 sms42EA.tmp Token: SeSystemProfilePrivilege 2916 sms42EA.tmp Token: SeSystemtimePrivilege 2916 sms42EA.tmp Token: SeProfSingleProcessPrivilege 2916 sms42EA.tmp Token: SeIncBasePriorityPrivilege 2916 sms42EA.tmp Token: SeCreatePagefilePrivilege 2916 sms42EA.tmp Token: SeBackupPrivilege 2916 sms42EA.tmp Token: SeRestorePrivilege 2916 sms42EA.tmp Token: SeShutdownPrivilege 2916 sms42EA.tmp Token: SeDebugPrivilege 2916 sms42EA.tmp Token: SeSystemEnvironmentPrivilege 2916 sms42EA.tmp Token: SeChangeNotifyPrivilege 2916 sms42EA.tmp Token: SeRemoteShutdownPrivilege 2916 sms42EA.tmp Token: SeUndockPrivilege 2916 sms42EA.tmp Token: SeManageVolumePrivilege 2916 sms42EA.tmp Token: SeImpersonatePrivilege 2916 sms42EA.tmp Token: SeCreateGlobalPrivilege 2916 sms42EA.tmp Token: 33 2916 sms42EA.tmp Token: 34 2916 sms42EA.tmp Token: 35 2916 sms42EA.tmp Token: SeIncreaseQuotaPrivilege 760 sms4C6B.tmp Token: SeSecurityPrivilege 760 sms4C6B.tmp Token: SeTakeOwnershipPrivilege 760 sms4C6B.tmp Token: SeLoadDriverPrivilege 760 sms4C6B.tmp Token: SeSystemProfilePrivilege 760 sms4C6B.tmp Token: SeSystemtimePrivilege 760 sms4C6B.tmp Token: SeProfSingleProcessPrivilege 760 sms4C6B.tmp Token: SeIncBasePriorityPrivilege 760 sms4C6B.tmp Token: SeCreatePagefilePrivilege 760 sms4C6B.tmp Token: SeBackupPrivilege 760 sms4C6B.tmp Token: SeRestorePrivilege 760 sms4C6B.tmp Token: SeShutdownPrivilege 760 sms4C6B.tmp Token: SeDebugPrivilege 760 sms4C6B.tmp Token: SeSystemEnvironmentPrivilege 760 sms4C6B.tmp Token: SeChangeNotifyPrivilege 760 sms4C6B.tmp Token: SeRemoteShutdownPrivilege 760 sms4C6B.tmp Token: SeUndockPrivilege 760 sms4C6B.tmp Token: SeManageVolumePrivilege 760 sms4C6B.tmp Token: SeImpersonatePrivilege 760 sms4C6B.tmp Token: SeCreateGlobalPrivilege 760 sms4C6B.tmp Token: 33 760 sms4C6B.tmp Token: 34 760 sms4C6B.tmp Token: 35 760 sms4C6B.tmp Token: SeShutdownPrivilege 800 sms4DF1.tmp Token: SeDebugPrivilege 800 sms4DF1.tmp Token: SeTcbPrivilege 800 sms4DF1.tmp Token: SeShutdownPrivilege 536 viewpdf.exe Token: SeDebugPrivilege 536 viewpdf.exe Token: SeTcbPrivilege 536 viewpdf.exe Token: SeIncreaseQuotaPrivilege 572 word.exe Token: SeSecurityPrivilege 572 word.exe Token: SeTakeOwnershipPrivilege 572 word.exe Token: SeLoadDriverPrivilege 572 word.exe Token: SeSystemProfilePrivilege 572 word.exe Token: SeSystemtimePrivilege 572 word.exe Token: SeProfSingleProcessPrivilege 572 word.exe Token: SeIncBasePriorityPrivilege 572 word.exe Token: SeCreatePagefilePrivilege 572 word.exe Token: SeBackupPrivilege 572 word.exe Token: SeRestorePrivilege 572 word.exe Token: SeShutdownPrivilege 572 word.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 536 viewpdf.exe 2248 InstallUtil.exe 2196 AUDIOPT.EXE 1748 InstallUtil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2916 1192 2a9bf696f1af170e0e1b5ede752a1578.exe 29 PID 1192 wrote to memory of 2916 1192 2a9bf696f1af170e0e1b5ede752a1578.exe 29 PID 1192 wrote to memory of 2916 1192 2a9bf696f1af170e0e1b5ede752a1578.exe 29 PID 1192 wrote to memory of 2916 1192 2a9bf696f1af170e0e1b5ede752a1578.exe 29 PID 2916 wrote to memory of 2804 2916 sms42EA.tmp 30 PID 2916 wrote to memory of 2804 2916 sms42EA.tmp 30 PID 2916 wrote to memory of 2804 2916 sms42EA.tmp 30 PID 2916 wrote to memory of 2804 2916 sms42EA.tmp 30 PID 2916 wrote to memory of 3060 2916 sms42EA.tmp 31 PID 2916 wrote to memory of 3060 2916 sms42EA.tmp 31 PID 2916 wrote to memory of 3060 2916 sms42EA.tmp 31 PID 2916 wrote to memory of 3060 2916 sms42EA.tmp 31 PID 2916 wrote to memory of 2712 2916 sms42EA.tmp 33 PID 2916 wrote to memory of 2712 2916 sms42EA.tmp 33 PID 2916 wrote to memory of 2712 2916 sms42EA.tmp 33 PID 2916 wrote to memory of 2712 2916 sms42EA.tmp 33 PID 2916 wrote to memory of 2616 2916 sms42EA.tmp 35 PID 2916 wrote to memory of 2616 2916 sms42EA.tmp 35 PID 2916 wrote to memory of 2616 2916 sms42EA.tmp 35 PID 2916 wrote to memory of 2616 2916 sms42EA.tmp 35 PID 2916 wrote to memory of 2672 2916 sms42EA.tmp 37 PID 2916 wrote to memory of 2672 2916 sms42EA.tmp 37 PID 2916 wrote to memory of 2672 2916 sms42EA.tmp 37 PID 2916 wrote to memory of 2672 2916 sms42EA.tmp 37 PID 2712 wrote to memory of 2936 2712 WINLISTS.EXE 38 PID 2712 wrote to memory of 2936 2712 WINLISTS.EXE 38 PID 2712 wrote to memory of 2936 2712 WINLISTS.EXE 38 PID 3060 wrote to memory of 760 3060 USBDRV.EXE 39 PID 3060 wrote to memory of 760 3060 USBDRV.EXE 39 PID 3060 wrote to memory of 760 3060 USBDRV.EXE 39 PID 3060 wrote to memory of 760 3060 USBDRV.EXE 39 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 760 wrote to memory of 2224 760 sms4C6B.tmp 40 PID 2616 wrote to memory of 800 2616 WINNOTE.EXE 41 PID 2616 wrote to memory of 800 2616 WINNOTE.EXE 41 PID 2616 wrote to memory of 800 2616 WINNOTE.EXE 41 PID 2616 wrote to memory of 800 2616 WINNOTE.EXE 41 PID 800 wrote to memory of 536 800 sms4DF1.tmp 42 PID 800 wrote to memory of 536 800 sms4DF1.tmp 42 PID 800 wrote to memory of 536 800 sms4DF1.tmp 42 PID 800 wrote to memory of 536 800 sms4DF1.tmp 42 PID 760 wrote to memory of 572 760 sms4C6B.tmp 43 PID 760 wrote to memory of 572 760 sms4C6B.tmp 43 PID 760 wrote to memory of 572 760 sms4C6B.tmp 43 PID 760 wrote to memory of 572 760 sms4C6B.tmp 43 PID 572 wrote to memory of 1612 572 word.exe 44 PID 572 wrote to memory of 1612 572 word.exe 44 PID 572 wrote to memory of 1612 572 word.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe"C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp"C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"6⤵
- Executes dropped EXE
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE"6⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "logons" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2607.tmp" /F7⤵
- Scheduled Task/Job: Scheduled Task
PID:1788
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp"C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp"4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:2224
-
-
C:\Users\Admin\Documents\word.exe"C:\Users\Admin\Documents\word.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:1612
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp"C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:352
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp.bat""5⤵PID:1928
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:1432
-
-
C:\Users\Admin\AppData\Roaming\audiodvs.exe"C:\Users\Admin\AppData\Roaming\audiodvs.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp"C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\ProgramData\pdfview\viewpdf.exe"C:\ProgramData\pdfview\viewpdf.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEC:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196
-
-
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE6⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"7⤵PID:2756
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:900
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2652
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:480
-
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEC:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE6⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"7⤵PID:2868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE6⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:884
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CB2.tmp.bat""7⤵
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
PID:2216
-
-
C:\Users\Admin\AppData\Roaming\wintskl.exe"C:\Users\Admin\AppData\Roaming\wintskl.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==9⤵PID:2028
-
-
C:\Users\Admin\AppData\Roaming\wintskl.exeC:\Users\Admin\AppData\Roaming\wintskl.exe9⤵
- Executes dropped EXE
PID:1080
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵PID:2096
-
-
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2184 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:328
-
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEC:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE6⤵
- Executes dropped EXE
PID:2420
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE6⤵
- Executes dropped EXE
PID:2644
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEC:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE6⤵
- Executes dropped EXE
PID:1664
-
-
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
PID:352
-
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE6⤵
- Executes dropped EXE
PID:1760
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
971KB
MD5b9627469e7f554de40844bb210bafc1b
SHA1a9e0647c640bb4e7a5a432e984e294842d03455d
SHA2565074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6
SHA51286db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b
-
Filesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
Filesize
421KB
MD5be6c7a291d10a15274a0613a3d7d373d
SHA1e9a7d7ee40f875b5f6b2a5ae85825f5f1b510011
SHA25613f76dc27178fc55f0a9dc756e894195683668d1592f399eab4399825abbdcec
SHA5125b40578a08b0b44b27ad27cda6d2aafb3ec51b209b0c16f4bfdf589131b36770b738c0278870c5d57fc0daadf9638ded25362363a12ceff1c932afb6c4301bc1
-
Filesize
177KB
MD5e4cee8675eb9bee518fceb46df6b0171
SHA1e7a4d534e4fe3930d34178d1e50866201dd9f4dd
SHA256dbe3e996ba14398b16753ce4be959bde4fb308e0e81c1a24c1632560b4e8396a
SHA512612a02353ba58f0649ccb89a10ef87ab72968734301c8e97f5c69631177dffbd29b03bcab30e44706dcd7103bdc1f735935012fed5dd219e13fe7ed9bae46205
-
Filesize
850KB
MD5adc072db38c95f07ba096def8010ec23
SHA197470255c4075752e4e0f120847107ed9bad60f8
SHA256f20d872a03c3a41b240d03b30ad8417e841e5bcfb659bd2ad863a02e215e22f4
SHA512bec583fa431c13443238db3cec8f555914df682666ae5cf8b7151401728ab26dcc1431d4bb903c5e56f9e26cdd06c8e777eba267549bbf7da1e09688822cb4b4
-
Filesize
2.1MB
MD5d047d98c07f60feceabedb071932b56a
SHA1ceb1a880d36ad0c79d75081c6004c4820d18c16d
SHA25616991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355
SHA5126438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563
-
Filesize
3.8MB
MD503813d38cc7820f9c68f6764e477bd68
SHA1ef02c9634f6d7a17a66d78dcc98f6154971d1e73
SHA256572cf83b14d8eb05be377d4cc8ad6196c9994f815a2ff47cfee2d68219d83c4d
SHA5121d17f353e3c0adccae832fffbc4d189e7b1b9868f5f4410205e53796387a9f1fe5c7a87bde1546fc022eb671b68ceb7fb67da59846a4dc880dcf230aeb50edd8
-
Filesize
46KB
MD510b549c788d008fc48cccac97d0d41f5
SHA1f0c723bb0c9123875a1a208e3ec46f4ec4108be0
SHA256589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9
SHA512bc7f033012190ba6ccc2c76c4d32a1814bb4960d209d39edf5960f27b51f3e448b4ae0d26c8b68f3239eb499abfdc1bea2324fc3d7841ea1521c5f0c42f4df88
-
Filesize
283KB
MD502ea195dd67861f845f7fd66af7a0599
SHA1e9b9e4a8fb39b838c4ffd7321f26b53eff9aca73
SHA256df4fa66d72e0dec0ad47af48f25e8fe0e9cf2361ba19340b014e871f418ff207
SHA512d198baa7a8f20922ef63d34504b0cbfe1dfefb4b72d7763063480699ae4184e1d48e7dd64ddb6f18414c508ce6e80085e42a86daea5ea678a8942b3b628de8cf
-
Filesize
733KB
MD5e071c8ee33d217c10b415c30365e608b
SHA191e6cecaa37634d500db49536876cbc9ecb09683
SHA256835c2a9f31f166d13dd4db17b76a4731194214566e7a39df674afa292feef6b8
SHA51217b5f6229a74fb85af3aec28768f1be072ae99e5f2596fca7737e91e525bdf67865caa906f3c4c6eadfaa4df9a1aee7a1adc3effa72fa1cc68bbc8e41daba960
-
Filesize
151B
MD558654dd3ebf7499eb974760ced8d4876
SHA1b19a11b5c0935d8af2d80086e78e614cadfd213c
SHA256046571a55cbb0a0a24b960dee91e9278829b634ff7d161aa3c5e683b65585c23
SHA5124d7df70b7c6ee56332c18a38f894a198de33e81fedd12be429f3600fa0409a06d8dc61cba8ff2f031e48da6fbe2e2ddadfc5facce7f61fbc2d827d67dd19909c
-
Filesize
152B
MD56dfba0f95b662a38762f4337edeff2bd
SHA1b446a3f562bae7d3e0ad257caac20ee640c653da
SHA256b541a0b0a1b1c3135c794425d121e751b2de2a1fa994066ddd9c60fc2b6aa1a1
SHA5127279087e83d54e6fe8c23707fb653660c2f784d3b1c5e6bcee2721e27c095c44a246a346d78c4b9392864479697af947cb00ae9a4702968332c3b2954b47d6a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\83PRCAY3W5PQYVXZ986Q.temp
Filesize7KB
MD5c6ee5a1be9c5b7c35cab9cf5e6f689c4
SHA10a6c4cd9a7e3d1dd9a11742de6efadaa28875b2c
SHA2560cfbb2a100772c26f1ec0ba70c8cfc54b12f7f132ae4a9e001a466536186de4c
SHA512fced974d92bff8d05b21b1210781260e22c5c9fe417749c9039fab93b69ee8b415d3ad8602c96c615feb13bd4227934bb5c509c8a508a2326a2676d59dd74c99
-
Filesize
47.7MB
MD5776d03ee3ff34cdda7c370b03106ee49
SHA1d02c04eae689a7a91116d62b5584ee447997a9bb
SHA256bced54d9a343ba12abab3d3b797947344baffef6af651fb6b6cb35b3ec64667e
SHA512ea61d89684fab7a4ed5daade4ea5e58eb9c7f4eaa4b14a61c24edf9306dd2158b0a787a4514cd33cf212433b2d67ff7403181c5cb48b6755436d95f07aa72ab7
-
Filesize
46.4MB
MD5893ba5076bdd51e397382cabaf95561a
SHA1f3b3fc1e87d66a09803fe3af0c3914ff0b110914
SHA256f078de22db5f1103abf1c44db78aa1a49de77ad292beb76920832637e7f15d1c
SHA51225cca36d7617944a3916ce09a633db59ebc63a4bb170a2dfdd3f9f2b6761f79006c47958d888477c5e4bb329ed1204e8c190fd315117f7d97dceed9269083cc3
-
Filesize
21B
MD52ddca716eff6ab2f8d96dc3d39527386
SHA14c1c65fa4d6bffe17dc9e04e193adf6db9d0994f
SHA256e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a
SHA5125b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3
-
Filesize
706KB
MD5ec686b4055ed2cb7c2cad70b4d16d129
SHA107fa122ac1ab4451cf9fa239652faa867a29540e
SHA25659baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a
SHA51286e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21
-
Filesize
272KB
MD5f15e71a4533bed5e3d3a79f6b73862a6
SHA1f1007480f2924e6b35d96b65e6cc0fdee6edb07c
SHA25663b57bcc9105ace9e2dc463a160c5a7c4d2b22f17229a0c9b5c58454a42d7a89
SHA51231dbdd945a121d8b8408be150d336a98f04f9dd1df5505d79c61d404aeff61d92d0eaaa973d34c2aaff95280c00431d26198a2ee3ec616c1edce9dca8624e99b
-
Filesize
519KB
MD5601292d6c082d283f03c18d7544b191b
SHA1695ad657e5bbc51c2b02bf674982a788dea95dbc
SHA2568e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13
SHA512bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f
-
Filesize
512KB
MD52f679de5443dac203b91769a4c1c909d
SHA10c6abb07446d0bc0656b7304411de78f65d2e809
SHA256cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e
SHA51203b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0
-
Filesize
471KB
MD5caa8b858c6b22d263c3b3029461191fc
SHA189922c2d98a35d3eb00acea5e7563a63e237265f
SHA256d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1
SHA5129f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc