asyncrat | 9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020824c1dfea0166bf1bfe3ce59af7a7.exe
Size

2.0MB
MD5

020824c1dfea0166bf1bfe3ce59af7a7
SHA1

e691e2f4607af277472ae32df75c4c42ff94b84c
SHA256

9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381
SHA512

025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2
SSDEEP

49152:J6oUM9eEZyfky3a7B9L787fYIdLVYZcl+:RUMHyR3sB9q7CKA

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-02 collection infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/6020-239-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 20 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5932-218-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5932-224-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6100-275-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6088-279-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3712-281-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4800-300-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6088-252-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6100-250-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5932-241-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6088-238-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6100-237-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3712-302-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3356-303-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4800-304-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5932-309-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3356-308-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6100-319-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6088-320-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/740-334-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/740-339-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat

Drops file in Drivers directory 3 IoCs

Processes:

InstallUtil.exeAUDIOPT.EXEAUDIOPT.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AUDIOPT.EXE

Executes dropped EXE 31 IoCs

Processes:

ADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEAUDIOPT.EXEDRVVIDEO.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEWINCPUL.EXEAUDIOPT.EXEAUDIOPT.EXEWINLOGONL.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEDRVVIDEO.EXEAUDIOPT.EXEAUDIOPT.EXEWINPLAY.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXEwintsklt.exewintskl.exewintsklt.exewintsklt.exewintskl.exe

pid	process
3852	ADOBESERV.EXE
3940	AUDIOPT.EXE
5068	DRVVIDEO.EXE
2360	WINCPUL.EXE
4808	WINLOGONL.EXE
4440	WINPLAY.EXE
5080	ADOBESERV.EXE
1976	AUDIOPT.EXE
1640	DRVVIDEO.EXE
428	WINCPUL.EXE
644	WINLOGONL.EXE
2616	WINPLAY.EXE
5932	WINCPUL.EXE
5912	AUDIOPT.EXE
6004	AUDIOPT.EXE
6112	WINLOGONL.EXE
6100	DRVVIDEO.EXE
6088	WINLOGONL.EXE
6020	WINPLAY.EXE
3712	DRVVIDEO.EXE
5376	AUDIOPT.EXE
452	AUDIOPT.EXE
5720	WINPLAY.EXE
4800	WINCPUL.EXE
3356	WINLOGONL.EXE
5740	WINPLAY.EXE
5384	wintsklt.exe
5632	wintskl.exe
3552	wintsklt.exe
740	wintsklt.exe
6028	wintskl.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2356-146-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2356-148-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2356-149-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2356-162-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/2356-202-0x0000000000400000-0x0000000000853000-memory.dmp	upx
behavioral2/memory/5860-206-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5860-208-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5860-211-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6120-261-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5376-287-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5376-276-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5376-274-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5376-269-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/452-301-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5376-264-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5860-318-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DRVVIDEO.EXEwintsklt.exeADOBESERV.EXEWINPLAY.EXEAUDIOPT.EXEWINLOGONL.EXEWINPLAY.EXEwintskl.exeDRVVIDEO.EXEADOBESERV.EXEWINCPUL.EXEWINLOGONL.EXEWINPLAY.EXE020824c1dfea0166bf1bfe3ce59af7a7.exeWINCPUL.EXEAUDIOPT.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wintskl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DRVVIDEO.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ADOBESERV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINLOGONL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINPLAY.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	020824c1dfea0166bf1bfe3ce59af7a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINCPUL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AUDIOPT.EXE

Drops startup file 2 IoCs

Processes:

WINCPUL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINCPUL.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINCPUL.EXE

Loads dropped DLL 12 IoCs

Processes:

DRVVIDEO.EXEwintsklt.exe

pid	process
6100	DRVVIDEO.EXE
6100	DRVVIDEO.EXE
6100	DRVVIDEO.EXE
6100	DRVVIDEO.EXE
6100	DRVVIDEO.EXE
6100	DRVVIDEO.EXE
740	wintsklt.exe
740	wintsklt.exe
740	wintsklt.exe
740	wintsklt.exe
740	wintsklt.exe
740	wintsklt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

DRVVIDEO.EXEwintsklt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DRVVIDEO.EXE
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINLOGONL.EXEWINCPUL.EXE020824c1dfea0166bf1bfe3ce59af7a7.exeADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEDRVVIDEO.EXEAUDIOPT.EXEAUDIOPT.EXEADOBESERV.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINCPUL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfczxnkd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uyhtq\\Lfczxnkd.exe\""	020824c1dfea0166bf1bfe3ce59af7a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpkly = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eubdk\\Mpkly.exe\""	WINLOGONL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qtipp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rfuzmus\\Qtipp.exe\""	DRVVIDEO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lsqbtn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gctkfrz\\Lsqbtn.exe\""	AUDIOPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dbawda = "\"C:\\Users\\Admin\\AppData\\Roaming\\Thomibmb\\Dbawda.exe\""	ADOBESERV.EXE

Suspicious use of SetThreadContext 15 IoCs

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeADOBESERV.EXEWINCPUL.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEADOBESERV.EXEDRVVIDEO.EXEAUDIOPT.EXEAUDIOPT.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXEwintsklt.exewintskl.exe

description	pid	process	target process
PID 5016 set thread context of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 3852 set thread context of 5860	3852	ADOBESERV.EXE	InstallUtil.exe
PID 2360 set thread context of 5932	2360	WINCPUL.EXE	WINCPUL.EXE
PID 5068 set thread context of 6100	5068	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 4808 set thread context of 6088	4808	WINLOGONL.EXE	WINLOGONL.EXE
PID 4440 set thread context of 6020	4440	WINPLAY.EXE	WINPLAY.EXE
PID 5080 set thread context of 6120	5080	ADOBESERV.EXE	InstallUtil.exe
PID 1640 set thread context of 3712	1640	DRVVIDEO.EXE	DRVVIDEO.EXE
PID 1976 set thread context of 5376	1976	AUDIOPT.EXE	AUDIOPT.EXE
PID 3940 set thread context of 452	3940	AUDIOPT.EXE	AUDIOPT.EXE
PID 644 set thread context of 3356	644	WINLOGONL.EXE	WINLOGONL.EXE
PID 428 set thread context of 4800	428	WINCPUL.EXE	WINCPUL.EXE
PID 2616 set thread context of 5740	2616	WINPLAY.EXE	WINPLAY.EXE
PID 5384 set thread context of 740	5384	wintsklt.exe	wintsklt.exe
PID 5632 set thread context of 6028	5632	wintskl.exe	wintskl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2932 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5516 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINCPUL.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINCPUL.EXE

pid	process
2932	schtasks.exe

pid	process
5516	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINCPUL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe020824c1dfea0166bf1bfe3ce59af7a7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeADOBESERV.EXEAUDIOPT.EXEWINCPUL.EXEWINPLAY.EXEWINLOGONL.EXEADOBESERV.EXEWINLOGONL.EXEDRVVIDEO.EXE

pid	process
4160	powershell.exe
4160	powershell.exe
5016	020824c1dfea0166bf1bfe3ce59af7a7.exe
5016	020824c1dfea0166bf1bfe3ce59af7a7.exe
4052	powershell.exe
4052	powershell.exe
4600	powershell.exe
4600	powershell.exe
4480	powershell.exe
4480	powershell.exe
3928	powershell.exe
3928	powershell.exe
3404	powershell.exe
3404	powershell.exe
1180	powershell.exe
1180	powershell.exe
3624	powershell.exe
3624	powershell.exe
1588	powershell.exe
1588	powershell.exe
5112	powershell.exe
5112	powershell.exe
5084	powershell.exe
5084	powershell.exe
3660	powershell.exe
3660	powershell.exe
2548	powershell.exe
2548	powershell.exe
4600	powershell.exe
4052	powershell.exe
4480	powershell.exe
3404	powershell.exe
3624	powershell.exe
1588	powershell.exe
3928	powershell.exe
5084	powershell.exe
1180	powershell.exe
3660	powershell.exe
5112	powershell.exe
2548	powershell.exe
3852	ADOBESERV.EXE
3852	ADOBESERV.EXE
3852	ADOBESERV.EXE
3852	ADOBESERV.EXE
3852	ADOBESERV.EXE
3852	ADOBESERV.EXE
3940	AUDIOPT.EXE
3940	AUDIOPT.EXE
2360	WINCPUL.EXE
2360	WINCPUL.EXE
3940	AUDIOPT.EXE
3940	AUDIOPT.EXE
3940	AUDIOPT.EXE
3940	AUDIOPT.EXE
4440	WINPLAY.EXE
4440	WINPLAY.EXE
644	WINLOGONL.EXE
644	WINLOGONL.EXE
5080	ADOBESERV.EXE
5080	ADOBESERV.EXE
4808	WINLOGONL.EXE
4808	WINLOGONL.EXE
5068	DRVVIDEO.EXE
5068	DRVVIDEO.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

5860 InstallUtil.exe

pid	process
5860	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe020824c1dfea0166bf1bfe3ce59af7a7.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeADOBESERV.EXEAUDIOPT.EXEInstallUtil.exeWINCPUL.EXEADOBESERV.EXEDRVVIDEO.EXEWINLOGONL.EXEWINPLAY.EXEWINLOGONL.EXEDRVVIDEO.EXEAUDIOPT.EXEWINPLAY.EXEInstallUtil.exeWINCPUL.EXEAUDIOPT.EXE

description	pid	process
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe
Token: SeIncreaseQuotaPrivilege	2356	InstallUtil.exe
Token: SeSecurityPrivilege	2356	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	2356	InstallUtil.exe
Token: SeLoadDriverPrivilege	2356	InstallUtil.exe
Token: SeSystemProfilePrivilege	2356	InstallUtil.exe
Token: SeSystemtimePrivilege	2356	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	2356	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2356	InstallUtil.exe
Token: SeCreatePagefilePrivilege	2356	InstallUtil.exe
Token: SeBackupPrivilege	2356	InstallUtil.exe
Token: SeRestorePrivilege	2356	InstallUtil.exe
Token: SeShutdownPrivilege	2356	InstallUtil.exe
Token: SeDebugPrivilege	2356	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	2356	InstallUtil.exe
Token: SeChangeNotifyPrivilege	2356	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	2356	InstallUtil.exe
Token: SeUndockPrivilege	2356	InstallUtil.exe
Token: SeManageVolumePrivilege	2356	InstallUtil.exe
Token: SeImpersonatePrivilege	2356	InstallUtil.exe
Token: SeCreateGlobalPrivilege	2356	InstallUtil.exe
Token: 33	2356	InstallUtil.exe
Token: 34	2356	InstallUtil.exe
Token: 35	2356	InstallUtil.exe
Token: 36	2356	InstallUtil.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	3852	ADOBESERV.EXE
Token: SeDebugPrivilege	3940	AUDIOPT.EXE
Token: SeShutdownPrivilege	5860	InstallUtil.exe
Token: SeDebugPrivilege	5860	InstallUtil.exe
Token: SeTcbPrivilege	5860	InstallUtil.exe
Token: SeDebugPrivilege	2360	WINCPUL.EXE
Token: SeDebugPrivilege	5080	ADOBESERV.EXE
Token: SeDebugPrivilege	5068	DRVVIDEO.EXE
Token: SeDebugPrivilege	4808	WINLOGONL.EXE
Token: SeDebugPrivilege	4440	WINPLAY.EXE
Token: SeDebugPrivilege	644	WINLOGONL.EXE
Token: SeDebugPrivilege	1640	DRVVIDEO.EXE
Token: SeDebugPrivilege	1976	AUDIOPT.EXE
Token: SeDebugPrivilege	2616	WINPLAY.EXE
Token: SeShutdownPrivilege	6120	InstallUtil.exe
Token: SeDebugPrivilege	6120	InstallUtil.exe
Token: SeTcbPrivilege	6120	InstallUtil.exe
Token: SeDebugPrivilege	428	WINCPUL.EXE
Token: SeIncreaseQuotaPrivilege	5376	AUDIOPT.EXE
Token: SeSecurityPrivilege	5376	AUDIOPT.EXE
Token: SeTakeOwnershipPrivilege	5376	AUDIOPT.EXE
Token: SeLoadDriverPrivilege	5376	AUDIOPT.EXE
Token: SeSystemProfilePrivilege	5376	AUDIOPT.EXE
Token: SeSystemtimePrivilege	5376	AUDIOPT.EXE
Token: SeProfSingleProcessPrivilege	5376	AUDIOPT.EXE
Token: SeIncBasePriorityPrivilege	5376	AUDIOPT.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

InstallUtil.exeInstallUtil.exeAUDIOPT.EXEDRVVIDEO.EXEwintsklt.exe

pid process

2356 InstallUtil.exe
5860 InstallUtil.exe
452 AUDIOPT.EXE
6100 DRVVIDEO.EXE
740 wintsklt.exe

pid	process
2356	InstallUtil.exe
5860	InstallUtil.exe
452	AUDIOPT.EXE
6100	DRVVIDEO.EXE
740	wintsklt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

020824c1dfea0166bf1bfe3ce59af7a7.exeInstallUtil.exeAUDIOPT.EXEDRVVIDEO.EXEADOBESERV.EXEWINLOGONL.EXEWINCPUL.EXEWINPLAY.EXE

description	pid	process	target process
PID 5016 wrote to memory of 4160	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 5016 wrote to memory of 4160	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 5016 wrote to memory of 4160	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	powershell.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 5016 wrote to memory of 2356	5016	020824c1dfea0166bf1bfe3ce59af7a7.exe	InstallUtil.exe
PID 2356 wrote to memory of 3852	2356	InstallUtil.exe	ADOBESERV.EXE
PID 2356 wrote to memory of 3852	2356	InstallUtil.exe	ADOBESERV.EXE
PID 2356 wrote to memory of 3852	2356	InstallUtil.exe	ADOBESERV.EXE
PID 2356 wrote to memory of 3940	2356	InstallUtil.exe	AUDIOPT.EXE
PID 2356 wrote to memory of 3940	2356	InstallUtil.exe	AUDIOPT.EXE
PID 2356 wrote to memory of 3940	2356	InstallUtil.exe	AUDIOPT.EXE
PID 2356 wrote to memory of 5068	2356	InstallUtil.exe	DRVVIDEO.EXE
PID 2356 wrote to memory of 5068	2356	InstallUtil.exe	DRVVIDEO.EXE
PID 2356 wrote to memory of 5068	2356	InstallUtil.exe	DRVVIDEO.EXE
PID 2356 wrote to memory of 2360	2356	InstallUtil.exe	WINCPUL.EXE
PID 2356 wrote to memory of 2360	2356	InstallUtil.exe	WINCPUL.EXE
PID 2356 wrote to memory of 2360	2356	InstallUtil.exe	WINCPUL.EXE
PID 2356 wrote to memory of 4808	2356	InstallUtil.exe	WINLOGONL.EXE
PID 2356 wrote to memory of 4808	2356	InstallUtil.exe	WINLOGONL.EXE
PID 2356 wrote to memory of 4808	2356	InstallUtil.exe	WINLOGONL.EXE
PID 2356 wrote to memory of 4440	2356	InstallUtil.exe	WINPLAY.EXE
PID 2356 wrote to memory of 4440	2356	InstallUtil.exe	WINPLAY.EXE
PID 2356 wrote to memory of 4440	2356	InstallUtil.exe	WINPLAY.EXE
PID 2356 wrote to memory of 5080	2356	InstallUtil.exe	ADOBESERV.EXE
PID 2356 wrote to memory of 5080	2356	InstallUtil.exe	ADOBESERV.EXE
PID 2356 wrote to memory of 5080	2356	InstallUtil.exe	ADOBESERV.EXE
PID 2356 wrote to memory of 1976	2356	InstallUtil.exe	AUDIOPT.EXE
PID 2356 wrote to memory of 1976	2356	InstallUtil.exe	AUDIOPT.EXE
PID 2356 wrote to memory of 1976	2356	InstallUtil.exe	AUDIOPT.EXE
PID 2356 wrote to memory of 1640	2356	InstallUtil.exe	DRVVIDEO.EXE
PID 2356 wrote to memory of 1640	2356	InstallUtil.exe	DRVVIDEO.EXE
PID 2356 wrote to memory of 1640	2356	InstallUtil.exe	DRVVIDEO.EXE
PID 2356 wrote to memory of 428	2356	InstallUtil.exe	WINCPUL.EXE
PID 2356 wrote to memory of 428	2356	InstallUtil.exe	WINCPUL.EXE
PID 2356 wrote to memory of 428	2356	InstallUtil.exe	WINCPUL.EXE
PID 2356 wrote to memory of 644	2356	InstallUtil.exe	WINLOGONL.EXE
PID 2356 wrote to memory of 644	2356	InstallUtil.exe	WINLOGONL.EXE
PID 2356 wrote to memory of 644	2356	InstallUtil.exe	WINLOGONL.EXE
PID 2356 wrote to memory of 2616	2356	InstallUtil.exe	WINPLAY.EXE
PID 2356 wrote to memory of 2616	2356	InstallUtil.exe	WINPLAY.EXE
PID 2356 wrote to memory of 2616	2356	InstallUtil.exe	WINPLAY.EXE
PID 3940 wrote to memory of 4052	3940	AUDIOPT.EXE	powershell.exe
PID 3940 wrote to memory of 4052	3940	AUDIOPT.EXE	powershell.exe
PID 3940 wrote to memory of 4052	3940	AUDIOPT.EXE	powershell.exe
PID 5068 wrote to memory of 4480	5068	DRVVIDEO.EXE	powershell.exe
PID 5068 wrote to memory of 4480	5068	DRVVIDEO.EXE	powershell.exe
PID 5068 wrote to memory of 4480	5068	DRVVIDEO.EXE	powershell.exe
PID 3852 wrote to memory of 4600	3852	ADOBESERV.EXE	powershell.exe
PID 3852 wrote to memory of 4600	3852	ADOBESERV.EXE	powershell.exe
PID 3852 wrote to memory of 4600	3852	ADOBESERV.EXE	powershell.exe
PID 4808 wrote to memory of 3928	4808	WINLOGONL.EXE	powershell.exe
PID 4808 wrote to memory of 3928	4808	WINLOGONL.EXE	powershell.exe
PID 4808 wrote to memory of 3928	4808	WINLOGONL.EXE	powershell.exe
PID 2360 wrote to memory of 3404	2360	WINCPUL.EXE	powershell.exe
PID 2360 wrote to memory of 3404	2360	WINCPUL.EXE	powershell.exe
PID 2360 wrote to memory of 3404	2360	WINCPUL.EXE	powershell.exe
PID 4440 wrote to memory of 1588	4440	WINPLAY.EXE	powershell.exe
PID 4440 wrote to memory of 1588	4440	WINPLAY.EXE	powershell.exe
PID 4440 wrote to memory of 1588	4440	WINPLAY.EXE	powershell.exe

outlook_office_path 1 IoCs

Processes:

wintsklt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe

outlook_win_path 1 IoCs

Processes:

wintsklt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wintsklt.exe

C:\Users\Admin\AppData\Local\Temp\020824c1dfea0166bf1bfe3ce59af7a7.exe
"C:\Users\Admin\AppData\Local\Temp\020824c1dfea0166bf1bfe3ce59af7a7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:5848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5860

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Executes dropped EXE
PID:5912

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Executes dropped EXE
PID:6004

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
PID:6100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:5932

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:5868

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:6088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:6020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD699.tmp.bat""
5⤵
PID:3100

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:5516

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:5632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
PID:520

C:\Users\Admin\AppData\Roaming\wintskl.exe
C:\Users\Admin\AppData\Roaming\wintskl.exe
7⤵
- Executes dropped EXE
PID:6028

C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
4⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:6112

C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
4⤵
- Executes dropped EXE
PID:3356

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
4⤵
- Executes dropped EXE
PID:4800

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:5720

C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
4⤵
- Executes dropped EXE
PID:5740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESERV.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AUDIOPT.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRVVIDEO.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPUL.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINLOGONL.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINPLAY.EXE.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
c9ca1c332a3484d0843217f83a924572

SHA1
f99b1889edb883574e0923c12d4c159d12289d4b

SHA256
65cfda03472425d465db12ace6681a97df9a2e3305c451e95d8df4eef07fa8c7

SHA512
ad1224ed95e5b56261a4c6a89fa7f1cc06e8b21c4ec1fc8784682e9d4a74d5f0f626837ef041904220174b76a54b433d750150d7d318b8220128189a93edd033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8e17d9ac72fc803f6238e70a89613451

SHA1
192ea83a7fa49801713dbea7c19ddc5809a22af7

SHA256
977b9b8145c2d7f5187c5b8a059633d48c99ad6e251d8a47489cd7362609d9cb

SHA512
7615f9ed64dd47dd1c8f5ce0541dddec0e5e3713637ad834afebcc6d3bbbbcb8d04a323de7fb9942b9c412770275cb2886d10266176843d186e1084bf9aece5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ed7d1333e3205e51b1f42d793c01500c

SHA1
653e4b72db4ccdc92c083e1d2340e6d9c4e86903

SHA256
e3ca117fc97216df28145f7077403616f832bce3c9ed5c7fdb29f47b9a6d0c7b

SHA512
1d2961ad47a6beb0604e5d3891e54027f5081d1e1d61ca135cd03d883f59c84edac703943313b8219dc6c5e7c6ff8221433e7702bce96c44884ffdc47f04b67c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
f49d3cd86696af6f69aac2fb27e36c2a

SHA1
09377fb1eba906f95bc4279b8e8ea45bb8b9c50e

SHA256
389b19f6cbc2dcde6473d503589a3483e9923b51c0cd942242841fd437dc11f3

SHA512
d51d84602b96cd437cbc449346b04a726c96ebf73017fd19977c5eb95b6196a8a5d22018bc160200700ab1ced4a3906e4c2ddbaf94670353c9b524b5d5b84b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
f49d3cd86696af6f69aac2fb27e36c2a

SHA1
09377fb1eba906f95bc4279b8e8ea45bb8b9c50e

SHA256
389b19f6cbc2dcde6473d503589a3483e9923b51c0cd942242841fd437dc11f3

SHA512
d51d84602b96cd437cbc449346b04a726c96ebf73017fd19977c5eb95b6196a8a5d22018bc160200700ab1ced4a3906e4c2ddbaf94670353c9b524b5d5b84b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
52acf79184cd2b7fc6fa9a0884334b12

SHA1
e949e849215d8176ba41bf562ea574f2e004b867

SHA256
6c5915903143e1a28873d6303b87d1c63df99d14d71fc33b05f56f51de783454

SHA512
3f9b17510695685cb26ebd4f7c425983265549756a7dad3cc2c1cc2eb230c4d0b21a21ce2eaa5568d6a12199c481ee885a29f8f73d3e275a106f1deb5d356a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
52acf79184cd2b7fc6fa9a0884334b12

SHA1
e949e849215d8176ba41bf562ea574f2e004b867

SHA256
6c5915903143e1a28873d6303b87d1c63df99d14d71fc33b05f56f51de783454

SHA512
3f9b17510695685cb26ebd4f7c425983265549756a7dad3cc2c1cc2eb230c4d0b21a21ce2eaa5568d6a12199c481ee885a29f8f73d3e275a106f1deb5d356a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c9c894ddd9893771a9f34df6b2dd6eb3

SHA1
c0b56f96bb3f38dc71ea17a1bb98131d6934a6a4

SHA256
f3b11ae615ccd3527da9e78f5cda87b0e363379d82803df349dc01fe919e87b3

SHA512
a58da82027afe8f4ff3a542aff7c2a1dcf83a1583fadd2ea13cff0e97ae5733431d834e447828557526f950f9b927ba05b4746361a4f16049e5a4fa0b91560ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c9c894ddd9893771a9f34df6b2dd6eb3

SHA1
c0b56f96bb3f38dc71ea17a1bb98131d6934a6a4

SHA256
f3b11ae615ccd3527da9e78f5cda87b0e363379d82803df349dc01fe919e87b3

SHA512
a58da82027afe8f4ff3a542aff7c2a1dcf83a1583fadd2ea13cff0e97ae5733431d834e447828557526f950f9b927ba05b4746361a4f16049e5a4fa0b91560ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c9c894ddd9893771a9f34df6b2dd6eb3

SHA1
c0b56f96bb3f38dc71ea17a1bb98131d6934a6a4

SHA256
f3b11ae615ccd3527da9e78f5cda87b0e363379d82803df349dc01fe919e87b3

SHA512
a58da82027afe8f4ff3a542aff7c2a1dcf83a1583fadd2ea13cff0e97ae5733431d834e447828557526f950f9b927ba05b4746361a4f16049e5a4fa0b91560ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
cdacc55725b513b1e882dfec2294116e

SHA1
c08fb1b00b8043c6ce26deee920acf5559bb4dc0

SHA256
bd2e0ae37a1036cab0b3d064d6a3c1c91cb810a98edab1b487deb7820642f300

SHA512
229e591116de520b59b853b14405c33bb1f713afde6ccbcd2ce1209b79075124389f3e0107096d15dbde972f610079c980e51ad969d6a12489691394c19737fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
cdacc55725b513b1e882dfec2294116e

SHA1
c08fb1b00b8043c6ce26deee920acf5559bb4dc0

SHA256
bd2e0ae37a1036cab0b3d064d6a3c1c91cb810a98edab1b487deb7820642f300

SHA512
229e591116de520b59b853b14405c33bb1f713afde6ccbcd2ce1209b79075124389f3e0107096d15dbde972f610079c980e51ad969d6a12489691394c19737fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE
Filesize
471KB

MD5
caa8b858c6b22d263c3b3029461191fc

SHA1
89922c2d98a35d3eb00acea5e7563a63e237265f

SHA256
d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1

SHA512
9f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD699.tmp.bat
Filesize
151B

MD5
09c5007c8ed403b5911be064c3f88309

SHA1
b07078561d07dbeab74842d88cf36020d0b703fd

SHA256
392400a9df26ebfc7004914226f8d45937676d569b562804856b176f566e3958

SHA512
3a75afe59c6705f6e3ef0adbc0d6139cfbea54987639caf7d629d4dcbfaf2253fe52b9357335e25b15d5f67f3210537a5f355a459a444eb9f40e4f6d2fc239ed

Download Submit
C:\Users\Admin\AppData\Roaming\Eubdk\Mpkly.exe
Filesize
512KB

MD5
2f679de5443dac203b91769a4c1c909d

SHA1
0c6abb07446d0bc0656b7304411de78f65d2e809

SHA256
cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e

SHA512
03b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0

Download Submit
C:\Users\Admin\AppData\Roaming\Gctkfrz\Lsqbtn.exe
Filesize
706KB

MD5
ec686b4055ed2cb7c2cad70b4d16d129

SHA1
07fa122ac1ab4451cf9fa239652faa867a29540e

SHA256
59baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a

SHA512
86e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21

Download Submit
C:\Users\Admin\AppData\Roaming\Rfuzmus\Qtipp.exe
Filesize
514KB

MD5
08e6dc43a44c34efb81e328b03652f3d

SHA1
e1359be06649ec0ff40d7b0ba39148afc5ff7855

SHA256
da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd

SHA512
e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c

Download Submit
C:\Users\Admin\AppData\Roaming\Thomibmb\Dbawda.exe
Filesize
971KB

MD5
b9627469e7f554de40844bb210bafc1b

SHA1
a9e0647c640bb4e7a5a432e984e294842d03455d

SHA256
5074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6

SHA512
86db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
42.9MB

MD5
c3fbf823d0ca4729de0112d4e50fd1dd

SHA1
8e2e7d36ca5a5ba1a4c980fd8cdd72be4d16e1ce

SHA256
85144907795f21b6b31aab7ed17077a3ca959914e0882ce0cfe4dd7b0d2f9e01

SHA512
b8668e5cdab4cc92e60d13c19096057b79f7e56f6447ce690d8fe2f04a5acceaca68ec4e1f4d2421ddfa4e478f75677a53b7038ce478158287f724f2046d61e0

Download Submit
C:\Users\Admin\AppData\Roaming\wintskl.exe
Filesize
42.9MB

MD5
c3fbf823d0ca4729de0112d4e50fd1dd

SHA1
8e2e7d36ca5a5ba1a4c980fd8cdd72be4d16e1ce

SHA256
85144907795f21b6b31aab7ed17077a3ca959914e0882ce0cfe4dd7b0d2f9e01

SHA512
b8668e5cdab4cc92e60d13c19096057b79f7e56f6447ce690d8fe2f04a5acceaca68ec4e1f4d2421ddfa4e478f75677a53b7038ce478158287f724f2046d61e0

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Users\Admin\Documents\wintsklt.exe
Filesize
519KB

MD5
601292d6c082d283f03c18d7544b191b

SHA1
695ad657e5bbc51c2b02bf674982a788dea95dbc

SHA256
8e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13

SHA512
bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/428-180-0x0000000000000000-mapping.dmp

Download
memory/452-248-0x0000000000000000-mapping.dmp

Download
memory/452-301-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/520-335-0x0000000000000000-mapping.dmp

Download
memory/644-182-0x0000000000000000-mapping.dmp

Download
memory/740-345-0x000000000B740000-0x000000000B7C4000-memory.dmp

Filesize
528KB

Download
memory/740-344-0x000000000B740000-0x000000000B7C4000-memory.dmp

Filesize
528KB

Download
memory/740-338-0x000000000B0F0000-0x000000000B290000-memory.dmp

Filesize
1.6MB

Download
memory/740-330-0x0000000000000000-mapping.dmp

Download
memory/740-339-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/740-334-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/872-313-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/872-310-0x0000000000000000-mapping.dmp

Download
memory/1180-194-0x0000000000000000-mapping.dmp

Download
memory/1588-192-0x0000000000000000-mapping.dmp

Download
memory/1640-179-0x0000000000000000-mapping.dmp

Download
memory/1976-177-0x0000000000000000-mapping.dmp

Download
memory/2356-149-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2356-148-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2356-202-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2356-146-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2356-162-0x0000000000400000-0x0000000000853000-memory.dmp

Filesize
4.3MB

Download
memory/2356-145-0x0000000000000000-mapping.dmp

Download
memory/2360-161-0x0000000000000000-mapping.dmp

Download
memory/2360-172-0x0000000000520000-0x00000000005A8000-memory.dmp

Filesize
544KB

Download
memory/2492-311-0x0000000000000000-mapping.dmp

Download
memory/2492-314-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2548-199-0x0000000000000000-mapping.dmp

Download
memory/2616-185-0x0000000000000000-mapping.dmp

Download
memory/2932-321-0x0000000000000000-mapping.dmp

Download
memory/3100-322-0x0000000000000000-mapping.dmp

Download
memory/3356-260-0x0000000000000000-mapping.dmp

Download
memory/3356-303-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3356-308-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3404-191-0x0000000000000000-mapping.dmp

Download
memory/3552-328-0x0000000000000000-mapping.dmp

Download
memory/3624-193-0x0000000000000000-mapping.dmp

Download
memory/3660-196-0x0000000000000000-mapping.dmp

Download
memory/3712-281-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3712-302-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3712-256-0x0000000000000000-mapping.dmp

Download
memory/3852-150-0x0000000000000000-mapping.dmp

Download
memory/3852-158-0x0000000000B20000-0x0000000000C1A000-memory.dmp

Filesize
1000KB

Download
memory/3928-190-0x0000000000000000-mapping.dmp

Download
memory/3940-157-0x0000000000A40000-0x0000000000AF8000-memory.dmp

Filesize
736KB

Download
memory/3940-153-0x0000000000000000-mapping.dmp

Download
memory/4052-187-0x0000000000000000-mapping.dmp

Download
memory/4160-137-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/4160-143-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/4160-141-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/4160-140-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/4160-142-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/4160-139-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/4160-138-0x0000000005630000-0x0000000005C58000-memory.dmp

Filesize
6.2MB

Download
memory/4160-136-0x0000000000000000-mapping.dmp

Download
memory/4160-144-0x00000000069B0000-0x00000000069CA000-memory.dmp

Filesize
104KB

Download
memory/4440-167-0x0000000000000000-mapping.dmp

Download
memory/4440-174-0x0000000000B60000-0x0000000000BDC000-memory.dmp

Filesize
496KB

Download
memory/4480-188-0x0000000000000000-mapping.dmp

Download
memory/4600-189-0x0000000000000000-mapping.dmp

Download
memory/4800-262-0x0000000000000000-mapping.dmp

Download
memory/4800-300-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4800-304-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4808-164-0x0000000000000000-mapping.dmp

Download
memory/4808-173-0x00000000009E0000-0x0000000000A66000-memory.dmp

Filesize
536KB

Download
memory/5016-135-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/5016-134-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/5016-133-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/5016-132-0x0000000000A40000-0x0000000000C4E000-memory.dmp

Filesize
2.1MB

Download
memory/5068-156-0x0000000000000000-mapping.dmp

Download
memory/5068-163-0x0000000000300000-0x0000000000386000-memory.dmp

Filesize
536KB

Download
memory/5080-175-0x0000000000000000-mapping.dmp

Download
memory/5084-198-0x0000000000000000-mapping.dmp

Download
memory/5112-197-0x0000000000000000-mapping.dmp

Download
memory/5376-257-0x0000000000000000-mapping.dmp

Download
memory/5376-287-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5376-269-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5376-264-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5376-274-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5376-276-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5384-305-0x0000000000000000-mapping.dmp

Download
memory/5516-324-0x0000000000000000-mapping.dmp

Download
memory/5632-325-0x0000000000000000-mapping.dmp

Download
memory/5720-259-0x0000000000000000-mapping.dmp

Download
memory/5740-285-0x0000000000000000-mapping.dmp

Download
memory/5848-204-0x0000000000000000-mapping.dmp

Download
memory/5860-318-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5860-211-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5860-205-0x0000000000000000-mapping.dmp

Download
memory/5860-206-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5860-208-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5860-236-0x000000006F880000-0x000000006F8B9000-memory.dmp

Filesize
228KB

Download
memory/5868-312-0x0000000000000000-mapping.dmp

Download
memory/5912-213-0x0000000000000000-mapping.dmp

Download
memory/5932-309-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5932-218-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5932-241-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5932-214-0x0000000000000000-mapping.dmp

Download
memory/5932-224-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5992-337-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/5992-336-0x0000000000000000-mapping.dmp

Download
memory/6004-222-0x0000000000000000-mapping.dmp

Download
memory/6020-239-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6020-317-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/6020-223-0x0000000000000000-mapping.dmp

Download
memory/6028-342-0x0000000000000000-mapping.dmp

Download
memory/6088-228-0x0000000000000000-mapping.dmp

Download
memory/6088-238-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6088-279-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6088-252-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6088-320-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6100-237-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6100-250-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6100-316-0x000000000AD90000-0x000000000AF30000-memory.dmp

Filesize
1.6MB

Download
memory/6100-319-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6100-275-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/6100-340-0x000000000B170000-0x000000000B1F4000-memory.dmp

Filesize
528KB

Download
memory/6100-341-0x000000000B170000-0x000000000B1F4000-memory.dmp

Filesize
528KB

Download
memory/6100-232-0x0000000000000000-mapping.dmp

Download
memory/6112-227-0x0000000000000000-mapping.dmp

Download
memory/6120-261-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/6120-229-0x0000000000000000-mapping.dmp

Download