asyncrat | 9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020824c1dfea0166bf1bfe3ce59af7a7.exe
Size

2.0MB
MD5

020824c1dfea0166bf1bfe3ce59af7a7
SHA1

e691e2f4607af277472ae32df75c4c42ff94b84c
SHA256

9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381
SHA512

025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2
SSDEEP

49152:J6oUM9eEZyfky3a7B9L787fYIdLVYZcl+:RUMHyR3sB9q7CKA

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 collection infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5456-252-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 20 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5348-227-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5348-221-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5820-243-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3628-246-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5820-248-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5348-247-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3628-239-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5820-272-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3628-271-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5644-305-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5968-306-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4132-307-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5968-313-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5820-317-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5644-319-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4132-320-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5348-328-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3628-329-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1288-342-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1288-346-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

InstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Executes dropped EXE 37 IoCs

Processes:

ADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXEAUDIOPT.EXEWINCPUL.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINPLAY.EXEWINLOGONL.EXEDRVVIDEO.EXEWINPLAY.EXEWINPLAY.EXEwintsklt.exewintskl.exewintsklt.exewintsklt.exewintsklt.exewintsklt.exewintskl.exe

pid	process
1996	ADOBESERV.EXE
2228	AUDIOPT.EXE
660	DRVVIDEO.EXE
5068	WINCPUL.EXE
2552	WINLOGONL.EXE
2068	WINPLAY.EXE
860	ADOBESERV.EXE
4156	AUDIOPT.EXE
4244	DRVVIDEO.EXE
2260	WINCPUL.EXE
1372	WINLOGONL.EXE
2964	WINPLAY.EXE
6040	AUDIOPT.EXE
5348	DRVVIDEO.EXE
5584	WINCPUL.EXE
5384	WINCPUL.EXE
5388	WINLOGONL.EXE
2040	WINCPUL.EXE
3628	WINLOGONL.EXE
5820	WINCPUL.EXE
5456	WINPLAY.EXE
5944	AUDIOPT.EXE
5968	WINCPUL.EXE
5976	DRVVIDEO.EXE
2252	DRVVIDEO.EXE
2352	WINPLAY.EXE
5644	WINLOGONL.EXE
4132	DRVVIDEO.EXE
932	WINPLAY.EXE
4452	WINPLAY.EXE
4692	wintsklt.exe
1940	wintskl.exe
5568	wintsklt.exe
4060	wintsklt.exe
4700	wintsklt.exe
1288	wintsklt.exe
3740	wintskl.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/388-147-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/388-149-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/388-150-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/388-164-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/388-202-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/6040-207-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6052-208-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6040-212-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6052-213-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6040-214-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6052-215-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6040-211-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6040-218-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6052-220-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6000-273-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5944-286-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6040-326-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6052-327-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEDRVVIDEO.EXEWINPLAY.EXEWINPLAY.EXEADOBESERV.EXEwintsklt.exewintskl.exeWINLOGONL.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEAUDIOPT.EXEADOBESERV.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	020824c1dfea0166bf1bfe3ce59af7a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Loads dropped DLL 12 IoCs

Processes:

DRVVIDEO.EXEwintsklt.exe

pid	process
5348	DRVVIDEO.EXE
5348	DRVVIDEO.EXE
5348	DRVVIDEO.EXE
5348	DRVVIDEO.EXE
5348	DRVVIDEO.EXE
5348	DRVVIDEO.EXE
1288	wintsklt.exe
1288	wintsklt.exe
1288	wintsklt.exe
1288	wintsklt.exe
1288	wintsklt.exe
1288	wintsklt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

DRVVIDEO.EXEwintsklt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AUDIOPT.EXEADOBESERV.EXEWINLOGONL.EXEADOBESERV.EXEDRVVIDEO.EXE020824c1dfea0166bf1bfe3ce59af7a7.exeDRVVIDEO.EXEWINLOGONL.EXEAUDIOPT.EXEWINCPUL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	020824c1dfea0166bf1bfe3ce59af7a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{94718AF9-6D03-4E3D-8E2A-E9D4EE53448E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3B06CEF1-DFCC-4BAE-87FA-479A279F83B7}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeAUDIOPT.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXEADOBESERV.EXEWINCPUL.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEWINPLAY.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 2980 set thread context of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2228 set thread context of 6040	2228	AUDIOPT.EXE	AUDIOPT.EXE
PID 1996 set thread context of 6052	1996	ADOBESERV.EXE	InstallUtil.exe
PID 660 set thread context of 5348	660	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 2552 set thread context of 3628	2552	WINLOGONL.EXE	WINLOGONL.EXE
PID 5068 set thread context of 5820	5068	WINCPUL.EXE	WINCPUL.EXE
PID 2068 set thread context of 5456	2068	WINPLAY.EXE	WINPLAY.EXE
PID 860 set thread context of 6000	860	ADOBESERV.EXE	InstallUtil.exe
PID 2260 set thread context of 5968	2260	WINCPUL.EXE	WINCPUL.EXE
PID 4156 set thread context of 5944	4156	AUDIOPT.EXE	AUDIOPT.EXE
PID 1372 set thread context of 5644	1372	WINLOGONL.EXE	WINLOGONL.EXE
PID 4244 set thread context of 4132	4244	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 2964 set thread context of 4452	2964	WINPLAY.EXE	WINPLAY.EXE
PID 4692 set thread context of 1288	4692	wintsklt.exe	wintsklt.exe
PID 1940 set thread context of 3740	1940	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2828 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2876 timeout.exe

pid	process
2828	schtasks.exe

pid	process
2876	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe020824c1dfea0166bf1bfe3ce59af7a7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIOPT.EXEADOBESERV.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXE

pid	process
3140	powershell.exe
3140	powershell.exe
2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
4656	powershell.exe
4656	powershell.exe
2328	powershell.exe
2328	powershell.exe
3604	powershell.exe
3604	powershell.exe
4796	powershell.exe
4796	powershell.exe
2436	powershell.exe
2436	powershell.exe
4076	powershell.exe
4076	powershell.exe
1804	powershell.exe
1804	powershell.exe
3592	powershell.exe
3592	powershell.exe
2160	powershell.exe
2160	powershell.exe
4424	powershell.exe
4424	powershell.exe
3596	powershell.exe
3596	powershell.exe
4988	powershell.exe
4988	powershell.exe
4656	powershell.exe
4656	powershell.exe
2436	powershell.exe
3604	powershell.exe
3604	powershell.exe
4796	powershell.exe
2328	powershell.exe
2328	powershell.exe
4076	powershell.exe
1804	powershell.exe
3592	powershell.exe
2160	powershell.exe
4424	powershell.exe
3596	powershell.exe
4988	powershell.exe
2228	AUDIOPT.EXE
2228	AUDIOPT.EXE
1996	ADOBESERV.EXE
1996	ADOBESERV.EXE
660	DRVVIDEO.EXE
660	DRVVIDEO.EXE
5068	WINCPUL.EXE
5068	WINCPUL.EXE
5068	WINCPUL.EXE
5068	WINCPUL.EXE
5068	WINCPUL.EXE
5068	WINCPUL.EXE
2552	WINLOGONL.EXE
2552	WINLOGONL.EXE
5068	WINCPUL.EXE
5068	WINCPUL.EXE
2552	WINLOGONL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

6052 InstallUtil.exe

pid	process
6052	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe020824c1dfea0166bf1bfe3ce59af7a7.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIOPT.EXEADOBESERV.EXEAUDIOPT.EXEInstallUtil.exeDRVVIDEO.EXE

description	pid	process
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe
Token: SeIncreaseQuotaPrivilege	388	InstallUtil.exe
Token: SeSecurityPrivilege	388	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	388	InstallUtil.exe
Token: SeLoadDriverPrivilege	388	InstallUtil.exe
Token: SeSystemProfilePrivilege	388	InstallUtil.exe
Token: SeSystemtimePrivilege	388	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	388	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	388	InstallUtil.exe
Token: SeCreatePagefilePrivilege	388	InstallUtil.exe
Token: SeBackupPrivilege	388	InstallUtil.exe
Token: SeRestorePrivilege	388	InstallUtil.exe
Token: SeShutdownPrivilege	388	InstallUtil.exe
Token: SeDebugPrivilege	388	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	388	InstallUtil.exe
Token: SeChangeNotifyPrivilege	388	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	388	InstallUtil.exe
Token: SeUndockPrivilege	388	InstallUtil.exe
Token: SeManageVolumePrivilege	388	InstallUtil.exe
Token: SeImpersonatePrivilege	388	InstallUtil.exe
Token: SeCreateGlobalPrivilege	388	InstallUtil.exe
Token: 33	388	InstallUtil.exe
Token: 34	388	InstallUtil.exe
Token: 35	388	InstallUtil.exe
Token: 36	388	InstallUtil.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2228	AUDIOPT.EXE
Token: SeDebugPrivilege	1996	ADOBESERV.EXE
Token: SeIncreaseQuotaPrivilege	6040	AUDIOPT.EXE
Token: SeSecurityPrivilege	6040	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	6040	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	6040	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	6040	AUDIOPT.EXE
Token: SeSystemtimePrivilege	6040	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	6040	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	6040	AUDIOPT.EXE
Token: SeShutdownPrivilege	6052	InstallUtil.exe
Token: SeDebugPrivilege	6052	InstallUtil.exe
Token: SeTcbPrivilege	6052	InstallUtil.exe
Token: SeDebugPrivilege	660	DRVVIDEO.EXE
Token: SeCreatePagefilePrivilege	6040	AUDIOPT.EXE
Token: SeBackupPrivilege	6040	AUDIOPT.EXE
Token: SeRestorePrivilege	6040	AUDIOPT.EXE
Token: SeShutdownPrivilege	6040	AUDIOPT.EXE
Token: SeDebugPrivilege	6040	AUDIOPT.EXE
Token: SeSystemEnvironmentPrivilege	6040	AUDIOPT.EXE
Token: SeChangeNotifyPrivilege	6040	AUDIOPT.EXE
Token: SeRemoteShutdownPrivilege	6040	AUDIOPT.EXE
Token: SeUndockPrivilege	6040	AUDIOPT.EXE
Token: SeManageVolumePrivilege	6040	AUDIOPT.EXE
Token: SeImpersonatePrivilege	6040	AUDIOPT.EXE
Token: SeCreateGlobalPrivilege	6040	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

InstallUtil.exeInstallUtil.exeAUDIOPT.EXEDRVVIDEO.EXEwintsklt.exe

pid process

388 InstallUtil.exe
6052 InstallUtil.exe
6040 AUDIOPT.EXE
5348 DRVVIDEO.EXE
1288 wintsklt.exe

pid	process
388	InstallUtil.exe
6052	InstallUtil.exe
6040	AUDIOPT.EXE
5348	DRVVIDEO.EXE
1288	wintsklt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeInstallUtil.exeDRVVIDEO.EXEADOBESERV.EXEAUDIOPT.EXEWINCPUL.EXEWINLOGONL.EXE

description	pid	process	target process
PID 2980 wrote to memory of 3140	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 2980 wrote to memory of 3140	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 2980 wrote to memory of 3140	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 2980 wrote to memory of 3156	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 3156	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 3156	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2980 wrote to memory of 388	2980	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 388 wrote to memory of 1996	388	InstallUtil.exe	ADOBESERV.EXE
PID 388 wrote to memory of 1996	388	InstallUtil.exe	ADOBESERV.EXE
PID 388 wrote to memory of 1996	388	InstallUtil.exe	ADOBESERV.EXE
PID 388 wrote to memory of 2228	388	InstallUtil.exe	AUDIOPT.EXE
PID 388 wrote to memory of 2228	388	InstallUtil.exe	AUDIOPT.EXE
PID 388 wrote to memory of 2228	388	InstallUtil.exe	AUDIOPT.EXE
PID 388 wrote to memory of 660	388	InstallUtil.exe	DRVVIDEO.EXE
PID 388 wrote to memory of 660	388	InstallUtil.exe	DRVVIDEO.EXE
PID 388 wrote to memory of 660	388	InstallUtil.exe	DRVVIDEO.EXE
PID 388 wrote to memory of 5068	388	InstallUtil.exe	WINCPUL.EXE
PID 388 wrote to memory of 5068	388	InstallUtil.exe	WINCPUL.EXE
PID 388 wrote to memory of 5068	388	InstallUtil.exe	WINCPUL.EXE
PID 388 wrote to memory of 2552	388	InstallUtil.exe	WINLOGONL.EXE
PID 388 wrote to memory of 2552	388	InstallUtil.exe	WINLOGONL.EXE
PID 388 wrote to memory of 2552	388	InstallUtil.exe	WINLOGONL.EXE
PID 388 wrote to memory of 2068	388	InstallUtil.exe	WINPLAY.EXE
PID 388 wrote to memory of 2068	388	InstallUtil.exe	WINPLAY.EXE
PID 388 wrote to memory of 2068	388	InstallUtil.exe	WINPLAY.EXE
PID 388 wrote to memory of 860	388	InstallUtil.exe	ADOBESERV.EXE
PID 388 wrote to memory of 860	388	InstallUtil.exe	ADOBESERV.EXE
PID 388 wrote to memory of 860	388	InstallUtil.exe	ADOBESERV.EXE
PID 388 wrote to memory of 4156	388	InstallUtil.exe	AUDIOPT.EXE
PID 388 wrote to memory of 4156	388	InstallUtil.exe	AUDIOPT.EXE
PID 388 wrote to memory of 4156	388	InstallUtil.exe	AUDIOPT.EXE
PID 388 wrote to memory of 4244	388	InstallUtil.exe	DRVVIDEO.EXE
PID 388 wrote to memory of 4244	388	InstallUtil.exe	DRVVIDEO.EXE
PID 388 wrote to memory of 4244	388	InstallUtil.exe	DRVVIDEO.EXE
PID 388 wrote to memory of 2260	388	InstallUtil.exe	WINCPUL.EXE
PID 388 wrote to memory of 2260	388	InstallUtil.exe	WINCPUL.EXE
PID 388 wrote to memory of 2260	388	InstallUtil.exe	WINCPUL.EXE
PID 388 wrote to memory of 1372	388	InstallUtil.exe	WINLOGONL.EXE
PID 388 wrote to memory of 1372	388	InstallUtil.exe	WINLOGONL.EXE
PID 388 wrote to memory of 1372	388	InstallUtil.exe	WINLOGONL.EXE
PID 660 wrote to memory of 2436	660	DRVVIDEO.EXE	powershell.exe
PID 660 wrote to memory of 2436	660	DRVVIDEO.EXE	powershell.exe
PID 660 wrote to memory of 2436	660	DRVVIDEO.EXE	powershell.exe
PID 1996 wrote to memory of 3604	1996	ADOBESERV.EXE	powershell.exe
PID 1996 wrote to memory of 3604	1996	ADOBESERV.EXE	powershell.exe
PID 1996 wrote to memory of 3604	1996	ADOBESERV.EXE	powershell.exe
PID 2228 wrote to memory of 4656	2228	AUDIOPT.EXE	powershell.exe
PID 2228 wrote to memory of 4656	2228	AUDIOPT.EXE	powershell.exe
PID 2228 wrote to memory of 4656	2228	AUDIOPT.EXE	powershell.exe
PID 388 wrote to memory of 2964	388	InstallUtil.exe	WINPLAY.EXE
PID 388 wrote to memory of 2964	388	InstallUtil.exe	WINPLAY.EXE
PID 388 wrote to memory of 2964	388	InstallUtil.exe	WINPLAY.EXE
PID 5068 wrote to memory of 4796	5068	WINCPUL.EXE	powershell.exe
PID 5068 wrote to memory of 4796	5068	WINCPUL.EXE	powershell.exe
PID 5068 wrote to memory of 4796	5068	WINCPUL.EXE	powershell.exe
PID 2552 wrote to memory of 2328	2552	WINLOGONL.EXE	powershell.exe
PID 2552 wrote to memory of 2328	2552	WINLOGONL.EXE	powershell.exe
PID 2552 wrote to memory of 2328	2552	WINLOGONL.EXE	powershell.exe

outlook_office_path 1 IoCs

Processes:

wintsklt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe

outlook_win_path 1 IoCs

Processes:

wintsklt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe

C:\Users\Admin\AppData\Local\Temp\020824c1dfea0166bf1bfe3ce59af7a7.exe
"C:\Users\Admin\AppData\Local\Temp\020824c1dfea0166bf1bfe3ce59af7a7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6040

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:5584

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:5384

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:5820

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:2492

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:5568

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:4700

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp53A9.tmp.bat""
5⤵
PID:2328

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:2876

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
PID:4716

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:3740

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:5388

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5944

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:5976

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:4132

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:5644

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESERV.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AUDIOPT.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVVIDEO.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPUL.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINLOGONL.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINPLAY.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
109646c92d721d673bf11146b6757ba5

SHA1
3604a442bc7e4b3575ee902bf87e85df16c3914c

SHA256
b050c504b260e8e170f6bab84dc15534f2b5b318bdd389f0a45f6279766c579d

SHA512
6b39eeb4906b1f18579446c56d9c8f431dbf4f5aba1f8276c2f66fec361861175142b750db194cb40487e5324d6d46a8b121f71799635a52315aac1529197f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0d918a588c286a2779c255f66a68e885

SHA1
47429458811030fe8d0005a1400e70b383a58835

SHA256
033ba9bae60c96484b5a2f9fcf6ae5c73110ab5c2207b0d31c9bf4cbebabc69b

SHA512
6de22d9b5895be141871a14c9168de07c3f84d8cd95eeb22c733cc09766c149acad465840f2668f86b571d670a0bda2497ecf51839629fbdc6b7384e8d5e4e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
5da9e992e167b7f3e4aab87a1d3b04f3

SHA1
e6815e421018fe74cb25dc117679dced85b91d39

SHA256
1f491eee86a6ecc53986d732c45d8009329f6a0bf1222c940b59e1f5cc9e67a4

SHA512
8894735afce8ef55ac54a5fc92321e7813da2db5e334828d90d08f1cecb4b69e92d21655e8fd45c069f638439ed3587e349390d492eacbd73e562548eb6b2892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
95fff47841064c6e34e3edd62a5b4edb

SHA1
57b35006d489e70679b4cc481dce7ae727f48252

SHA256
6bfa220bc9e496d9a966df2cefccd11c981a63a91b3bdf9d3079106c23812177

SHA512
2f2e0344a3ecace9c97e01747c31278975bee3a5fc8d1a4f29b7513261fc5a1bbf3694ccdde64b8b8fcd027a6ab4b53538201610864ea7f6f8d58bb3f7c1bbea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
356ad1b1ba53e53759ce64c6b23f93f3

SHA1
166aee856cf6b78e1110a853647424b1f58b0c3a

SHA256
8a0302622132200b89e3dd32016f4e90be9fd2255279a2dc5a1a23b0d92b0e1a

SHA512
eb1752374c06796cbe59204e52a6a84c8e896adafbd6b3ebffb496f08943e82cf9febe7f2711466a4415ce55dd46942cb724d531be4534dabc801d19ba697c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2da4b6c96f9f2b5a2e997bf4d92a8494

SHA1
6dcebf85ec510050ef211c469550c54eecaac2dc

SHA256
ad999c0677511936683b2a1925d62acb27b9c1c6671f81a3b49a31bfe66b9c80

SHA512
c8642441a3567dda17664c67faf95f7398a3a4294df62f14760ab195e1eb55588305f2ad0bdf5dd93e14a6ef1320bfb97b62ed343e852138b33094c761be34c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0a0eddcf8313d1d4ff40b1a74275a0b0

SHA1
b3f4edc3a4b76c882e16b2f19771f1e57b05a36b

SHA256
ee8a54a62da733f1591eaebfb8cff42f5f19c470cd477f7c4e03caf7b9609389

SHA512
a7e6ba09473ebfaad080c0e9f39baa14a133655da0430c837c6f826a5d9996d252872539e332cc2197f78e302d9b0863d395ecd08781080379358086987defef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0a0eddcf8313d1d4ff40b1a74275a0b0

SHA1
b3f4edc3a4b76c882e16b2f19771f1e57b05a36b

SHA256
ee8a54a62da733f1591eaebfb8cff42f5f19c470cd477f7c4e03caf7b9609389

SHA512
a7e6ba09473ebfaad080c0e9f39baa14a133655da0430c837c6f826a5d9996d252872539e332cc2197f78e302d9b0863d395ecd08781080379358086987defef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
32e038e3821707dc095787d153da9593

SHA1
0bf456ac0be7d176fc63f2c48a2cd41460c04cb6

SHA256
028bd71e1bea43219b97ed1c7f657b43270b6652c9d0044758c9c70ee12e6759

SHA512
4a5ddae190ded87ec8d10c843586aeaf2800845fffca22260242a29125708006719826ba0355d9ad79b40cb1c289d6500c84370d43911074e14622e90370b30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2bd1595e6fe98a36b97ed4e705c48f8a

SHA1
0052305d99dfc0ad34c5ee3b5c17fcb13f31ecd5

SHA256
0fef93d8286f2bafa5011f82740dd6b91ece18533a5623db947c0f5fe4760001

SHA512
29abb3ead04676685b2bc5d54e7d3e5599e77f7e34ecfc7bbb4f96fa4bfe4ccaa91971cfca305d66f56175d21736904956b806e1018b59b3d4ad756e2ede9ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2bd1595e6fe98a36b97ed4e705c48f8a

SHA1
0052305d99dfc0ad34c5ee3b5c17fcb13f31ecd5

SHA256
0fef93d8286f2bafa5011f82740dd6b91ece18533a5623db947c0f5fe4760001

SHA512
29abb3ead04676685b2bc5d54e7d3e5599e77f7e34ecfc7bbb4f96fa4bfe4ccaa91971cfca305d66f56175d21736904956b806e1018b59b3d4ad756e2ede9ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7ceadcc8aad71e16f8a83b4ce325163d

SHA1
881a8b6cebdf08fcf0b6332df84383be2bc1f3a0

SHA256
7142aa6d1c1d1d9908b5adcaedc023d2b198a01d6940cad1043d876802359d3b

SHA512
aaf749f43c51f07214b3c0231bbcb57eeaf99e82c3fc591c3e86ad6d9f37588cd58e16c0285cd47031000daa6d90e8a6c4b3200ba95cf89bb941750dbb707d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Roaming\Eubdk\Mpkly.exe
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Roaming\Gctkfrz\Lsqbtn.exe
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Roaming\Rfuzmus\Qtipp.exe
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Roaming\Thomibmb\Dbawda.exe
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/388-147-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/388-150-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/388-164-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/388-149-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/388-202-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/388-146-0x0000000000000000-mapping.dmp

Download
memory/660-158-0x0000000000000000-mapping.dmp

Download
memory/660-163-0x0000000000350000-0x00000000003D6000-memory.dmp

Filesize
536KB

Download
memory/860-176-0x0000000000000000-mapping.dmp

Download
memory/932-297-0x0000000000000000-mapping.dmp

Download
memory/1288-346-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1288-345-0x000000000AB70000-0x000000000AD10000-memory.dmp

Filesize
1.6MB

Download
memory/1288-352-0x000000000B1B0000-0x000000000B234000-memory.dmp

Filesize
528KB

Download
memory/1288-342-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1288-338-0x0000000000000000-mapping.dmp

Download
memory/1288-351-0x000000000B1B0000-0x000000000B234000-memory.dmp

Filesize
528KB

Download
memory/1372-183-0x0000000000000000-mapping.dmp

Download
memory/1804-195-0x0000000000000000-mapping.dmp

Download
memory/1868-321-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1868-312-0x0000000000000000-mapping.dmp

Download
memory/1940-333-0x0000000000000000-mapping.dmp

Download
memory/1996-157-0x0000000000E10000-0x0000000000F0A000-memory.dmp

Filesize
1000KB

Download
memory/1996-151-0x0000000000000000-mapping.dmp

Download
memory/2040-234-0x0000000000000000-mapping.dmp

Download
memory/2068-172-0x0000000000000000-mapping.dmp

Download
memory/2068-175-0x0000000000550000-0x00000000005CC000-memory.dmp

Filesize
496KB

Download
memory/2160-197-0x0000000000000000-mapping.dmp

Download
memory/2228-154-0x0000000000000000-mapping.dmp

Download
memory/2228-161-0x0000000000B90000-0x0000000000C48000-memory.dmp

Filesize
736KB

Download
memory/2252-288-0x0000000000000000-mapping.dmp

Download
memory/2260-182-0x0000000000000000-mapping.dmp

Download
memory/2328-192-0x0000000000000000-mapping.dmp

Download
memory/2328-331-0x0000000000000000-mapping.dmp

Download
memory/2352-289-0x0000000000000000-mapping.dmp

Download
memory/2436-185-0x0000000000000000-mapping.dmp

Download
memory/2492-322-0x0000000000000000-mapping.dmp

Download
memory/2552-171-0x0000000000680000-0x0000000000706000-memory.dmp

Filesize
536KB

Download
memory/2552-167-0x0000000000000000-mapping.dmp

Download
memory/2828-330-0x0000000000000000-mapping.dmp

Download
memory/2876-332-0x0000000000000000-mapping.dmp

Download
memory/2964-189-0x0000000000000000-mapping.dmp

Download
memory/2980-135-0x0000000005C00000-0x0000000005C0A000-memory.dmp

Filesize
40KB

Download
memory/2980-132-0x0000000000DA0000-0x0000000000FAE000-memory.dmp

Filesize
2.1MB

Download
memory/2980-134-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/2980-133-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/3140-140-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/3140-139-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/3140-138-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/3140-137-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/3140-136-0x0000000000000000-mapping.dmp

Download
memory/3140-142-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3140-141-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/3140-144-0x0000000006940000-0x000000000695A000-memory.dmp

Filesize
104KB

Download
memory/3140-143-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/3156-145-0x0000000000000000-mapping.dmp

Download
memory/3592-196-0x0000000000000000-mapping.dmp

Download
memory/3596-199-0x0000000000000000-mapping.dmp

Download
memory/3604-186-0x0000000000000000-mapping.dmp

Download
memory/3628-329-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3628-246-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3628-235-0x0000000000000000-mapping.dmp

Download
memory/3628-239-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3628-271-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3740-348-0x0000000000000000-mapping.dmp

Download
memory/4060-336-0x0000000000000000-mapping.dmp

Download
memory/4076-193-0x0000000000000000-mapping.dmp

Download
memory/4132-307-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4132-292-0x0000000000000000-mapping.dmp

Download
memory/4132-320-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4156-178-0x0000000000000000-mapping.dmp

Download
memory/4244-180-0x0000000000000000-mapping.dmp

Download
memory/4424-198-0x0000000000000000-mapping.dmp

Download
memory/4452-309-0x0000000000000000-mapping.dmp

Download
memory/4656-187-0x0000000000000000-mapping.dmp

Download
memory/4692-314-0x0000000000000000-mapping.dmp

Download
memory/4700-337-0x0000000000000000-mapping.dmp

Download
memory/4716-334-0x0000000000000000-mapping.dmp

Download
memory/4796-190-0x0000000000000000-mapping.dmp

Download
memory/4988-200-0x0000000000000000-mapping.dmp

Download
memory/5068-162-0x0000000000000000-mapping.dmp

Download
memory/5068-168-0x0000000000FA0000-0x0000000001028000-memory.dmp

Filesize
544KB

Download
memory/5348-347-0x000000000B2A0000-0x000000000B324000-memory.dmp

Filesize
528KB

Download
memory/5348-247-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5348-328-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5348-227-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5348-350-0x000000000B2A0000-0x000000000B324000-memory.dmp

Filesize
528KB

Download
memory/5348-219-0x0000000000000000-mapping.dmp

Download
memory/5348-324-0x000000000AC50000-0x000000000ADF0000-memory.dmp

Filesize
1.6MB

Download
memory/5348-221-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5384-230-0x0000000000000000-mapping.dmp

Download
memory/5388-231-0x0000000000000000-mapping.dmp

Download
memory/5456-325-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/5456-241-0x0000000000000000-mapping.dmp

Download
memory/5456-252-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5568-335-0x0000000000000000-mapping.dmp

Download
memory/5584-228-0x0000000000000000-mapping.dmp

Download
memory/5608-343-0x0000000000000000-mapping.dmp

Download
memory/5608-344-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/5644-319-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5644-305-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5644-291-0x0000000000000000-mapping.dmp

Download
memory/5820-238-0x0000000000000000-mapping.dmp

Download
memory/5820-317-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5820-243-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5820-248-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5820-272-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5944-263-0x0000000000000000-mapping.dmp

Download
memory/5944-286-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5968-313-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5968-306-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5968-261-0x0000000000000000-mapping.dmp

Download
memory/5976-265-0x0000000000000000-mapping.dmp

Download
memory/6000-264-0x0000000000000000-mapping.dmp

Download
memory/6000-273-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6040-205-0x0000000000000000-mapping.dmp

Download
memory/6040-218-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6040-326-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6040-207-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6040-212-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6040-214-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6040-211-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6052-206-0x0000000000000000-mapping.dmp

Download
memory/6052-225-0x000000006EE90000-0x000000006EEC9000-memory.dmp

Filesize
228KB

Download
memory/6052-215-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6052-220-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6052-213-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6052-327-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6052-208-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6104-318-0x0000000000000000-mapping.dmp

Download
memory/6104-323-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download