Analysis Overview

score

10^/10

SHA256

d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f

Threat Level: Known bad

The file 2a9bf696f1af170e0e1b5ede752a1578.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat babylonrat darkcomet warzonerat xenorat 2024+june1-newcrt 2024+june111-newcrt evasion infostealer persistence rat trojan upx new-july-july4-0 new-july-july4-02

Darkcomet

Babylon RAT

Modifies WinLogon for persistence

XenorRat

WarzoneRat, AveMaria

AsyncRat

Async RAT payload

Warzone RAT payload

Disables Task Manager via registry modification

Drops file in Drivers directory

Checks computer location settings

Drops startup file

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

NTFS ADS

MITRE ATT&CK Matrix V13

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

System Information Discovery

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:35

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:35

Reported

2024-07-04 17:09

Platform

win7-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe"

Signatures

AsyncRat

rat asyncrat

Babylon RAT

trojan babylonrat

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word.exe"	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

XenorRat

trojan rat xenorat

Async RAT payload

rat

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
File opened for modification	C:\Windows\system32\drivers\etc\hosts	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	N/A
N/A	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
N/A	N/A	C:\Users\Admin\Documents\word.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\audiodvs.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wintskl.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wintskl.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XenoManager\EDGEN.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	C:\Users\Admin\Documents\word.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Documents\\word.exe"	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	C:\ProgramData\pdfview\viewpdf.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winpdf = "C:\\ProgramData\\pdfview\\viewpdf.exe"	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE	N/A

Suspicious use of SetThreadContext

Enumerates physical storage devices

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\audiodvs.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeChangeNotifyPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeChangeNotifyPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	N/A
Token: SeTcbPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	N/A
Token: SeShutdownPrivilege	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
Token: SeDebugPrivilege	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
Token: SeTcbPrivilege	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\Documents\word.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\ProgramData\pdfview\viewpdf.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1192 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp
PID 1192 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp
PID 1192 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp
PID 1192 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp
PID 2916 wrote to memory of 2804	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2916 wrote to memory of 2804	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2916 wrote to memory of 2804	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2916 wrote to memory of 2804	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE
PID 2916 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2916 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2916 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2916 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE
PID 2916 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2916 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2916 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2916 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE
PID 2916 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2916 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2916 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2916 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE
PID 2916 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2916 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2916 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2916 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp	C:\Users\Admin\AppData\Local\Temp\WRAR.EXE
PID 2712 wrote to memory of 2936	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp
PID 2712 wrote to memory of 2936	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp
PID 2712 wrote to memory of 2936	N/A	C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE	C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp
PID 3060 wrote to memory of 760	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp
PID 3060 wrote to memory of 760	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp
PID 3060 wrote to memory of 760	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp
PID 3060 wrote to memory of 760	N/A	C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 760 wrote to memory of 2224	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 800	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
PID 2616 wrote to memory of 800	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
PID 2616 wrote to memory of 800	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
PID 2616 wrote to memory of 800	N/A	C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp
PID 800 wrote to memory of 536	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 800 wrote to memory of 536	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 800 wrote to memory of 536	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 800 wrote to memory of 536	N/A	C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp	C:\ProgramData\pdfview\viewpdf.exe
PID 760 wrote to memory of 572	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Users\Admin\Documents\word.exe
PID 760 wrote to memory of 572	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Users\Admin\Documents\word.exe
PID 760 wrote to memory of 572	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Users\Admin\Documents\word.exe
PID 760 wrote to memory of 572	N/A	C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp	C:\Users\Admin\Documents\word.exe
PID 572 wrote to memory of 1612	N/A	C:\Users\Admin\Documents\word.exe	C:\Windows\SysWOW64\notepad.exe
PID 572 wrote to memory of 1612	N/A	C:\Users\Admin\Documents\word.exe	C:\Windows\SysWOW64\notepad.exe
PID 572 wrote to memory of 1612	N/A	C:\Users\Admin\Documents\word.exe	C:\Windows\SysWOW64\notepad.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe

"C:\Users\Admin\AppData\Local\Temp\2a9bf696f1af170e0e1b5ede752a1578.exe"

C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp

"C:\Users\Admin\AppData\Local\Temp\sms42EA.tmp"

C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE

"C:\Users\Admin\AppData\Local\Temp\EDGEN.EXE"

C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE

"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"

C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE

"C:\Users\Admin\AppData\Local\Temp\WINLISTS.EXE"

C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE

"C:\Users\Admin\AppData\Local\Temp\WINNOTE.EXE"

C:\Users\Admin\AppData\Local\Temp\WRAR.EXE

"C:\Users\Admin\AppData\Local\Temp\WRAR.EXE"

C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp

"C:\Users\Admin\AppData\Local\Temp\sms4B24.tmp"

C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp

"C:\Users\Admin\AppData\Local\Temp\sms4C6B.tmp"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp

"C:\Users\Admin\AppData\Local\Temp\sms4DF1.tmp"

C:\ProgramData\pdfview\viewpdf.exe

"C:\ProgramData\pdfview\viewpdf.exe"

C:\Users\Admin\Documents\word.exe

"C:\Users\Admin\Documents\word.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\audiodvs.exe

"C:\Users\Admin\AppData\Roaming\audiodvs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE

"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE

"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE

"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE

"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE

"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE

"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"