asyncrat | 9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020824c1dfea0166bf1bfe3ce59af7a7.exe
Size

2.0MB
MD5

020824c1dfea0166bf1bfe3ce59af7a7
SHA1

e691e2f4607af277472ae32df75c4c42ff94b84c
SHA256

9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381
SHA512

025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2
SSDEEP

49152:J6oUM9eEZyfky3a7B9L787fYIdLVYZcl+:RUMHyR3sB9q7CKA

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 collection infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2152-285-0x000000000040C38E-mapping.dmp	asyncrat
behavioral1/memory/768-288-0x000000000040C38E-mapping.dmp	asyncrat
behavioral1/memory/768-315-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/692-444-0x000000000040C38E-mapping.dmp	asyncrat

Warzone RAT payload 16 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2976-236-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2976-242-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2976-255-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2976-248-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2068-303-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2388-335-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2388-385-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2068-382-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1444-388-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2976-379-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2992-380-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/1444-366-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1108-365-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2976-221-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2976-210-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2968-465-0x0000000000406DE6-mapping.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

AUDIOPT.EXEAUDIOPT.EXEInstallUtil.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe

Executes dropped EXE 35 IoCs

Processes:

ADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEAUDIOPT.EXEWINCPUL.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEWINLOGONL.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINCPUL.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXEAUDIOPT.EXEWINPLAY.EXEWINPLAY.EXEDRVVIDEO.EXEDRVVIDEO.EXEDRVVIDEO.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEDRVVIDEO.EXEAUDIOPT.EXEwintskl.exewintsklt.exewintskl.exewintsklt.exe

pid	process
1068	ADOBESERV.EXE
1364	AUDIOPT.EXE
276	DRVVIDEO.EXE
1760	WINCPUL.EXE
576	WINLOGONL.EXE
112	WINPLAY.EXE
2056	ADOBESERV.EXE
2076	AUDIOPT.EXE
2144	WINCPUL.EXE
2120	DRVVIDEO.EXE
2212	WINLOGONL.EXE
2280	WINPLAY.EXE
2964	WINLOGONL.EXE
3044	DRVVIDEO.EXE
624	DRVVIDEO.EXE
2224	WINCPUL.EXE
3060	WINCPUL.EXE
2084	WINPLAY.EXE
2976	WINLOGONL.EXE
2088	AUDIOPT.EXE
768	WINPLAY.EXE
2152	WINPLAY.EXE
2068	DRVVIDEO.EXE
976	DRVVIDEO.EXE
564	DRVVIDEO.EXE
2032	DRVVIDEO.EXE
2388	WINCPUL.EXE
1444	WINLOGONL.EXE
1108	WINCPUL.EXE
2992	DRVVIDEO.EXE
1068	AUDIOPT.EXE
2164	wintskl.exe
2168	wintsklt.exe
692	wintskl.exe
2968	wintsklt.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1924-65-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1924-67-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1924-69-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1924-73-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1924-74-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1924-112-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/1924-187-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral1/memory/2088-234-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2132-238-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2088-246-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2132-250-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2088-330-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2132-369-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1716-387-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Loads dropped DLL 33 IoCs

Processes:

InstallUtil.exeWINLOGONL.EXEDRVVIDEO.EXEWINCPUL.EXEAUDIOPT.EXEWINPLAY.EXEWINPLAY.EXEWINCPUL.EXEDRVVIDEO.EXEWINLOGONL.EXEAUDIOPT.EXEcmd.exeWINCPUL.EXE

pid	process
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
576	WINLOGONL.EXE
576	WINLOGONL.EXE
276	DRVVIDEO.EXE
1760	WINCPUL.EXE
276	DRVVIDEO.EXE
1364	AUDIOPT.EXE
276	DRVVIDEO.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
112	WINPLAY.EXE
112	WINPLAY.EXE
2280	WINPLAY.EXE
2144	WINCPUL.EXE
2120	DRVVIDEO.EXE
2212	WINLOGONL.EXE
2120	DRVVIDEO.EXE
2120	DRVVIDEO.EXE
2120	DRVVIDEO.EXE
2076	AUDIOPT.EXE
2648	cmd.exe
2388	WINCPUL.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

DRVVIDEO.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DRVVIDEO.EXEWINCPUL.EXE020824c1dfea0166bf1bfe3ce59af7a7.exeAUDIOPT.EXEADOBESERV.EXEWINLOGONL.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEADOBESERV.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	020824c1dfea0166bf1bfe3ce59af7a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE

Suspicious use of SetThreadContext 15 IoCs

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeWINLOGONL.EXEAUDIOPT.EXEADOBESERV.EXEWINPLAY.EXEWINPLAY.EXEDRVVIDEO.EXEADOBESERV.EXEWINCPUL.EXEWINLOGONL.EXEWINCPUL.EXEDRVVIDEO.EXEAUDIOPT.EXEwintskl.exewintsklt.exe

description	pid	process	target process
PID 1088 set thread context of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 576 set thread context of 2976	576	WINLOGONL.EXE	WINLOGONL.EXE
PID 1364 set thread context of 2088	1364	AUDIOPT.EXE	AUDIOPT.EXE
PID 1068 set thread context of 2132	1068	ADOBESERV.EXE	InstallUtil.exe
PID 112 set thread context of 2152	112	WINPLAY.EXE	WINPLAY.EXE
PID 2280 set thread context of 768	2280	WINPLAY.EXE	WINPLAY.EXE
PID 276 set thread context of 2068	276	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 2056 set thread context of 1716	2056	ADOBESERV.EXE	InstallUtil.exe
PID 1760 set thread context of 2388	1760	WINCPUL.EXE	WINCPUL.EXE
PID 2212 set thread context of 1444	2212	WINLOGONL.EXE	WINLOGONL.EXE
PID 2144 set thread context of 1108	2144	WINCPUL.EXE	WINCPUL.EXE
PID 2120 set thread context of 2992	2120	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 2076 set thread context of 1068	2076	AUDIOPT.EXE	AUDIOPT.EXE
PID 2164 set thread context of 692	2164	wintskl.exe	wintskl.exe
PID 2168 set thread context of 2968	2168	wintsklt.exe	wintsklt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2800 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

856 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
2800	schtasks.exe

pid	process
856	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe020824c1dfea0166bf1bfe3ce59af7a7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWINLOGONL.EXEDRVVIDEO.EXEWINCPUL.EXEAUDIOPT.EXEADOBESERV.EXEWINPLAY.EXEWINPLAY.EXEADOBESERV.EXEWINCPUL.EXEWINLOGONL.EXEDRVVIDEO.EXE

pid	process
948	powershell.exe
1088	020824c1dfea0166bf1bfe3ce59af7a7.exe
1088	020824c1dfea0166bf1bfe3ce59af7a7.exe
1088	020824c1dfea0166bf1bfe3ce59af7a7.exe
1136	powershell.exe
1600	powershell.exe
664	powershell.exe
2020	powershell.exe
1212	powershell.exe
584	powershell.exe
2268	powershell.exe
2352	powershell.exe
2456	powershell.exe
2520	powershell.exe
2472	powershell.exe
576	WINLOGONL.EXE
576	WINLOGONL.EXE
576	WINLOGONL.EXE
576	WINLOGONL.EXE
576	WINLOGONL.EXE
576	WINLOGONL.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
276	DRVVIDEO.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
1364	AUDIOPT.EXE
1364	AUDIOPT.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
1068	ADOBESERV.EXE
1068	ADOBESERV.EXE
112	WINPLAY.EXE
112	WINPLAY.EXE
112	WINPLAY.EXE
112	WINPLAY.EXE
1760	WINCPUL.EXE
1760	WINCPUL.EXE
112	WINPLAY.EXE
112	WINPLAY.EXE
2280	WINPLAY.EXE
2280	WINPLAY.EXE
2056	ADOBESERV.EXE
2056	ADOBESERV.EXE
2144	WINCPUL.EXE
2144	WINCPUL.EXE
2212	WINLOGONL.EXE
2212	WINLOGONL.EXE
2120	DRVVIDEO.EXE
2120	DRVVIDEO.EXE
2120	DRVVIDEO.EXE
2120	DRVVIDEO.EXE
2120	DRVVIDEO.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe020824c1dfea0166bf1bfe3ce59af7a7.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWINLOGONL.EXEDRVVIDEO.EXEAUDIOPT.EXEADOBESERV.EXEWINCPUL.EXEWINPLAY.EXEADOBESERV.EXEWINPLAY.EXEDRVVIDEO.EXEWINLOGONL.EXEWINCPUL.EXEAUDIOPT.EXE

description	pid	process
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe
Token: SeIncreaseQuotaPrivilege	1924	InstallUtil.exe
Token: SeSecurityPrivilege	1924	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	1924	InstallUtil.exe
Token: SeLoadDriverPrivilege	1924	InstallUtil.exe
Token: SeSystemProfilePrivilege	1924	InstallUtil.exe
Token: SeSystemtimePrivilege	1924	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	1924	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1924	InstallUtil.exe
Token: SeCreatePagefilePrivilege	1924	InstallUtil.exe
Token: SeBackupPrivilege	1924	InstallUtil.exe
Token: SeRestorePrivilege	1924	InstallUtil.exe
Token: SeShutdownPrivilege	1924	InstallUtil.exe
Token: SeDebugPrivilege	1924	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	1924	InstallUtil.exe
Token: SeChangeNotifyPrivilege	1924	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	1924	InstallUtil.exe
Token: SeUndockPrivilege	1924	InstallUtil.exe
Token: SeManageVolumePrivilege	1924	InstallUtil.exe
Token: SeImpersonatePrivilege	1924	InstallUtil.exe
Token: SeCreateGlobalPrivilege	1924	InstallUtil.exe
Token: 33	1924	InstallUtil.exe
Token: 34	1924	InstallUtil.exe
Token: 35	1924	InstallUtil.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	576	WINLOGONL.EXE
Token: SeDebugPrivilege	276	DRVVIDEO.EXE
Token: SeDebugPrivilege	1364	AUDIOPT.EXE
Token: SeDebugPrivilege	1068	ADOBESERV.EXE
Token: SeDebugPrivilege	1760	WINCPUL.EXE
Token: SeDebugPrivilege	112	WINPLAY.EXE
Token: SeDebugPrivilege	2056	ADOBESERV.EXE
Token: SeDebugPrivilege	2280	WINPLAY.EXE
Token: SeDebugPrivilege	2120	DRVVIDEO.EXE
Token: SeDebugPrivilege	2212	WINLOGONL.EXE
Token: SeDebugPrivilege	2144	WINCPUL.EXE
Token: SeIncreaseQuotaPrivilege	2088	AUDIOPT.EXE
Token: SeSecurityPrivilege	2088	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	2088	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	2088	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	2088	AUDIOPT.EXE
Token: SeSystemtimePrivilege	2088	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	2088	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	2088	AUDIOPT.EXE
Token: SeCreatePagefilePrivilege	2088	AUDIOPT.EXE
Token: SeBackupPrivilege	2088	AUDIOPT.EXE
Token: SeRestorePrivilege	2088	AUDIOPT.EXE
Token: SeShutdownPrivilege	2088	AUDIOPT.EXE
Token: SeDebugPrivilege	2088	AUDIOPT.EXE
Token: SeSystemEnvironmentPrivilege	2088	AUDIOPT.EXE
Token: SeChangeNotifyPrivilege	2088	AUDIOPT.EXE
Token: SeRemoteShutdownPrivilege	2088	AUDIOPT.EXE
Token: SeUndockPrivilege	2088	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

InstallUtil.exeAUDIOPT.EXEInstallUtil.exeDRVVIDEO.EXE

pid process

1924 InstallUtil.exe
2088 AUDIOPT.EXE
1716 InstallUtil.exe
2068 DRVVIDEO.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeInstallUtil.exeADOBESERV.EXEDRVVIDEO.EXEAUDIOPT.EXEWINLOGONL.EXEWINCPUL.EXE

description	pid	process	target process
PID 1088 wrote to memory of 948	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 1088 wrote to memory of 948	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 1088 wrote to memory of 948	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 1088 wrote to memory of 948	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 836	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1088 wrote to memory of 1924	1088	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 1924 wrote to memory of 1068	1924	InstallUtil.exe	ADOBESERV.EXE
PID 1924 wrote to memory of 1068	1924	InstallUtil.exe	ADOBESERV.EXE
PID 1924 wrote to memory of 1068	1924	InstallUtil.exe	ADOBESERV.EXE
PID 1924 wrote to memory of 1068	1924	InstallUtil.exe	ADOBESERV.EXE
PID 1924 wrote to memory of 1364	1924	InstallUtil.exe	AUDIOPT.EXE
PID 1924 wrote to memory of 1364	1924	InstallUtil.exe	AUDIOPT.EXE
PID 1924 wrote to memory of 1364	1924	InstallUtil.exe	AUDIOPT.EXE
PID 1924 wrote to memory of 1364	1924	InstallUtil.exe	AUDIOPT.EXE
PID 1924 wrote to memory of 276	1924	InstallUtil.exe	DRVVIDEO.EXE
PID 1924 wrote to memory of 276	1924	InstallUtil.exe	DRVVIDEO.EXE
PID 1924 wrote to memory of 276	1924	InstallUtil.exe	DRVVIDEO.EXE
PID 1924 wrote to memory of 276	1924	InstallUtil.exe	DRVVIDEO.EXE
PID 1924 wrote to memory of 1760	1924	InstallUtil.exe	WINCPUL.EXE
PID 1924 wrote to memory of 1760	1924	InstallUtil.exe	WINCPUL.EXE
PID 1924 wrote to memory of 1760	1924	InstallUtil.exe	WINCPUL.EXE
PID 1924 wrote to memory of 1760	1924	InstallUtil.exe	WINCPUL.EXE
PID 1924 wrote to memory of 576	1924	InstallUtil.exe	WINLOGONL.EXE
PID 1924 wrote to memory of 576	1924	InstallUtil.exe	WINLOGONL.EXE
PID 1924 wrote to memory of 576	1924	InstallUtil.exe	WINLOGONL.EXE
PID 1924 wrote to memory of 576	1924	InstallUtil.exe	WINLOGONL.EXE
PID 1068 wrote to memory of 664	1068	ADOBESERV.EXE	powershell.exe
PID 1068 wrote to memory of 664	1068	ADOBESERV.EXE	powershell.exe
PID 1068 wrote to memory of 664	1068	ADOBESERV.EXE	powershell.exe
PID 1068 wrote to memory of 664	1068	ADOBESERV.EXE	powershell.exe
PID 276 wrote to memory of 1136	276	DRVVIDEO.EXE	powershell.exe
PID 276 wrote to memory of 1136	276	DRVVIDEO.EXE	powershell.exe
PID 276 wrote to memory of 1136	276	DRVVIDEO.EXE	powershell.exe
PID 276 wrote to memory of 1136	276	DRVVIDEO.EXE	powershell.exe
PID 1924 wrote to memory of 112	1924	InstallUtil.exe	WINPLAY.EXE
PID 1924 wrote to memory of 112	1924	InstallUtil.exe	WINPLAY.EXE
PID 1924 wrote to memory of 112	1924	InstallUtil.exe	WINPLAY.EXE
PID 1924 wrote to memory of 112	1924	InstallUtil.exe	WINPLAY.EXE
PID 1364 wrote to memory of 1600	1364	AUDIOPT.EXE	powershell.exe
PID 1364 wrote to memory of 1600	1364	AUDIOPT.EXE	powershell.exe
PID 1364 wrote to memory of 1600	1364	AUDIOPT.EXE	powershell.exe
PID 1364 wrote to memory of 1600	1364	AUDIOPT.EXE	powershell.exe
PID 576 wrote to memory of 2020	576	WINLOGONL.EXE	powershell.exe
PID 576 wrote to memory of 2020	576	WINLOGONL.EXE	powershell.exe
PID 576 wrote to memory of 2020	576	WINLOGONL.EXE	powershell.exe
PID 576 wrote to memory of 2020	576	WINLOGONL.EXE	powershell.exe
PID 1760 wrote to memory of 1212	1760	WINCPUL.EXE	powershell.exe
PID 1760 wrote to memory of 1212	1760	WINCPUL.EXE	powershell.exe

outlook_office_path 1 IoCs

Processes:

DRVVIDEO.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE

outlook_win_path 1 IoCs

Processes:

DRVVIDEO.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE

C:\Users\Admin\AppData\Local\Temp\020824c1dfea0166bf1bfe3ce59af7a7.exe
"C:\Users\Admin\AppData\Local\Temp\020824c1dfea0166bf1bfe3ce59af7a7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:2976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4616.tmp.bat""
5⤵
- Loads dropped DLL
PID:2648

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:856

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
PID:840

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:692

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:1108

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:564

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:976

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
PID:2388

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:2996

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:3060

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c94bd2362c23368b5d93de6c8bca2b5

SHA1
fcdc3f78d94fceee059a2734f320f8bffd15157a

SHA256
b92b1e743bad10d3b5b9e1c361472c78dad8f5b41b04e50e09afbbbd0bb34de0

SHA512
aae5c68a254dc4d16fbf75a12f4d2e312f856579f52813ee7398d6c7786583d166333c07c5ab87824b13038a4c5c01c8b49c7a84832f10acc934c87f59d2b979

Download Submit
C:\Users\Admin\AppData\Roaming\Thomibmb\Dbawda.exe
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
memory/112-114-0x0000000000000000-mapping.dmp

Download
memory/112-124-0x00000000006F0000-0x0000000000740000-memory.dmp

Filesize
320KB

Download
memory/112-119-0x0000000000B40000-0x0000000000BBC000-memory.dmp

Filesize
496KB

Download
memory/276-85-0x0000000000000000-mapping.dmp

Download
memory/276-93-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download
memory/276-100-0x0000000001F40000-0x0000000001F9C000-memory.dmp

Filesize
368KB

Download
memory/576-96-0x0000000000000000-mapping.dmp

Download
memory/576-106-0x0000000001030000-0x00000000010B6000-memory.dmp

Filesize
536KB

Download
memory/576-115-0x0000000000530000-0x000000000058A000-memory.dmp

Filesize
360KB

Download
memory/584-205-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/584-193-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/584-132-0x0000000000000000-mapping.dmp

Download
memory/584-168-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/664-190-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/664-162-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/664-108-0x0000000000000000-mapping.dmp

Download
memory/664-197-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/692-444-0x000000000040C38E-mapping.dmp

Download
memory/768-315-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/768-288-0x000000000040C38E-mapping.dmp

Download
memory/840-418-0x0000000000000000-mapping.dmp

Download
memory/856-414-0x0000000000000000-mapping.dmp

Download
memory/948-61-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/948-63-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/948-62-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-87-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/1068-81-0x0000000000C60000-0x0000000000D5A000-memory.dmp

Filesize
1000KB

Download
memory/1068-91-0x00000000044C0000-0x0000000004562000-memory.dmp

Filesize
648KB

Download
memory/1068-76-0x0000000000000000-mapping.dmp

Download
memory/1068-406-0x00000000004B56A0-mapping.dmp

Download
memory/1088-55-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1088-58-0x0000000004700000-0x000000000474C000-memory.dmp

Filesize
304KB

Download
memory/1088-54-0x00000000009D0000-0x0000000000BDE000-memory.dmp

Filesize
2.1MB

Download
memory/1088-57-0x00000000053F0000-0x00000000055DC000-memory.dmp

Filesize
1.9MB

Download
memory/1088-56-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1108-365-0x0000000000406DE6-mapping.dmp

Download
memory/1136-196-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1136-109-0x0000000000000000-mapping.dmp

Download
memory/1136-155-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1136-188-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1212-125-0x0000000000000000-mapping.dmp

Download
memory/1212-165-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1212-207-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1212-192-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-80-0x0000000000000000-mapping.dmp

Download
memory/1364-107-0x0000000004770000-0x00000000047F8000-memory.dmp

Filesize
544KB

Download
memory/1364-97-0x0000000000DC0000-0x0000000000E78000-memory.dmp

Filesize
736KB

Download
memory/1444-388-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1444-366-0x0000000000405CE2-mapping.dmp

Download
memory/1500-425-0x0000000000000000-mapping.dmp

Download
memory/1600-189-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-195-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-116-0x0000000000000000-mapping.dmp

Download
memory/1600-157-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-387-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1716-320-0x00000000004C6E20-mapping.dmp

Download
memory/1760-92-0x0000000000000000-mapping.dmp

Download
memory/1760-111-0x0000000001EC0000-0x0000000001F1C000-memory.dmp

Filesize
368KB

Download
memory/1760-104-0x0000000000360000-0x00000000003E8000-memory.dmp

Filesize
544KB

Download
memory/1924-74-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-73-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-187-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-69-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-67-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-112-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-70-0x0000000000850190-mapping.dmp

Download
memory/1924-65-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/1924-64-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2020-191-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-194-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-164-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-121-0x0000000000000000-mapping.dmp

Download
memory/2056-147-0x0000000005260000-0x0000000005302000-memory.dmp

Filesize
648KB

Download
memory/2056-138-0x0000000000000000-mapping.dmp

Download
memory/2068-382-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2068-243-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2068-303-0x0000000000406DE6-mapping.dmp

Download
memory/2068-229-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2068-222-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2076-141-0x0000000000000000-mapping.dmp

Download
memory/2088-234-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2088-246-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2088-224-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2088-261-0x00000000004B56A0-mapping.dmp

Download
memory/2088-330-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2120-144-0x0000000000000000-mapping.dmp

Download
memory/2132-227-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2132-369-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2132-238-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2132-267-0x00000000004C6E20-mapping.dmp

Download
memory/2132-250-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2144-146-0x0000000000000000-mapping.dmp

Download
memory/2152-285-0x000000000040C38E-mapping.dmp

Download
memory/2152-244-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2152-239-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-415-0x0000000000000000-mapping.dmp

Download
memory/2168-426-0x0000000000000000-mapping.dmp

Download
memory/2212-152-0x0000000000000000-mapping.dmp

Download
memory/2220-424-0x0000000000000000-mapping.dmp

Download
memory/2268-182-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2268-158-0x0000000000000000-mapping.dmp

Download
memory/2268-254-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2268-206-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2280-160-0x0000000000000000-mapping.dmp

Download
memory/2352-167-0x0000000000000000-mapping.dmp

Download
memory/2352-208-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-183-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2352-263-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2388-335-0x0000000000406DE6-mapping.dmp

Download
memory/2388-385-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2456-184-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-170-0x0000000000000000-mapping.dmp

Download
memory/2456-260-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-212-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-171-0x0000000000000000-mapping.dmp

Download
memory/2472-186-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-257-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-220-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-364-0x0000000000000000-mapping.dmp

Download
memory/2520-216-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-173-0x0000000000000000-mapping.dmp

Download
memory/2520-264-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-185-0x000000006F310000-0x000000006F8BB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-413-0x0000000000000000-mapping.dmp

Download
memory/2800-412-0x0000000000000000-mapping.dmp

Download
memory/2968-465-0x0000000000406DE6-mapping.dmp

Download
memory/2976-204-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-242-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-221-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-201-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-202-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-379-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-210-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-248-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2976-255-0x0000000000405CE2-mapping.dmp

Download
memory/2976-236-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2992-380-0x0000000000406DE6-mapping.dmp

Download
memory/2996-430-0x0000000000000000-mapping.dmp

Download