asyncrat | 5ca12788e41f318c0ce21ad6a83020fe303f9219811451651335e51e8b891b63

Analysis

max time kernel
210s
max time network
213s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dogecoin-Miner2022/Dogecoin-Miner2022l.exe
Size

2.1MB
MD5

36620d7c222248584634f10481f3be35
SHA1

2f65c68e266d55fe334f2bb3fcd8f824b090cf5f
SHA256

ff2bc238f2ce0d5c0b08af957f4098b63f3c402edc3694370950805780647888
SHA512

8d03f58e08c3c6553551e0d7ad7ef8ddc591c0f174d3c99cfc757e466038a4d1829c3643605ec64fbc7f65385036030a704b9f0835ab8bd58f9f3d92ea75928c
SSDEEP

49152:MeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:J1UoRtpJg/lx7xY9phBF1ptC2ekM

Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-01 evasion infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-01

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-U4BEN1Z

Attributes

gencode
8sAQdbHcGDto
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ADOBESTV.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	ADOBESTV.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	ADOBESTV.EXE
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	ADOBESTV.EXE

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

ADOBESTV.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "1" ADOBESTV.EXE
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "1"	ADOBESTV.EXE

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ADOBESTV.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "0"	ADOBESTV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "0"	ADOBESTV.EXE

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2600-289-0x000000000040C38E-mapping.dmp	asyncrat
behavioral1/memory/2600-301-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 26 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2688-202-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2688-199-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2688-213-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2688-211-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2688-208-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2780-226-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-224-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-222-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2688-216-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2780-229-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-238-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2780-249-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2780-286-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1888-302-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/2688-307-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1888-308-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/2780-312-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2688-314-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1888-315-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/1936-330-0x0000000000406DE6-mapping.dmp	warzonerat
behavioral1/memory/1936-334-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/520-340-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/520-344-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1936-345-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral1/memory/520-346-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/976-376-0x0000000000406DE6-mapping.dmp	warzonerat

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

ADOBESTV.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	ADOBESTV.EXE

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

Processes:

InstallUtil.exeDRVHDD.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 42 IoCs

Processes:

ADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEUSBDRVI.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEDRVHDD.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEWINLOGONW.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEADOBESTV.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXEWINLOGONW.EXEwintsklt.exewintsklt.exewintskl.exe

pid	process
1728	ADOBESTV.EXE
760	DRVHDD.EXE
1256	USBDRVI.EXE
1944	WINCPU.EXE
1452	WINLOGONW.EXE
1600	WINPLAYEER.EXE
1432	ADOBESTV.EXE
1028	DRVHDD.EXE
1524	USBDRVI.EXE
1764	WINCPU.EXE
1012	WINLOGONW.EXE
1428	WINPLAYEER.EXE
2688	USBDRVI.EXE
2808	ADOBESTV.EXE
2944	ADOBESTV.EXE
2980	ADOBESTV.EXE
2928	ADOBESTV.EXE
3028	ADOBESTV.EXE
2000	ADOBESTV.EXE
2792	DRVHDD.EXE
2964	ADOBESTV.EXE
2184	ADOBESTV.EXE
2992	ADOBESTV.EXE
2288	ADOBESTV.EXE
2780	WINLOGONW.EXE
3040	ADOBESTV.EXE
2096	ADOBESTV.EXE
1076	ADOBESTV.EXE
2468	ADOBESTV.EXE
1720	ADOBESTV.EXE
2220	ADOBESTV.EXE
2320	ADOBESTV.EXE
1808	ADOBESTV.EXE
2460	ADOBESTV.EXE
2136	ADOBESTV.EXE
2600	WINCPU.EXE
1888	USBDRVI.EXE
1936	WINPLAYEER.EXE
520	WINLOGONW.EXE
3016	wintsklt.exe
976	wintsklt.exe
2992	wintskl.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1808-64-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-66-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-68-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-72-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-73-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-87-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-178-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/1808-180-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral1/memory/2792-217-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2792-232-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2792-231-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2792-290-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2792-313-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE

Loads dropped DLL 42 IoCs

Processes:

InstallUtil.exeADOBESTV.EXEUSBDRVI.EXEWINLOGONW.EXEDRVHDD.EXEADOBESTV.EXEADOBESTV.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXEWINPLAYEER.EXEcmd.exe

pid	process
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	InstallUtil.exe
1808	ADOBESTV.EXE
1808	ADOBESTV.EXE
1808	ADOBESTV.EXE
1256	USBDRVI.EXE
1452	WINLOGONW.EXE
760	DRVHDD.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1012	WINLOGONW.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1028	DRVHDD.EXE
1764	WINCPU.EXE
1524	USBDRVI.EXE
1428	WINPLAYEER.EXE
1936	WINPLAYEER.EXE
1924	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ADOBESTV.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "0"	ADOBESTV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "0"	ADOBESTV.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINPLAYEER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE

Suspicious use of SetThreadContext 9 IoCs

Processes:

Dogecoin-Miner2022l.exeUSBDRVI.EXEDRVHDD.EXEWINLOGONW.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXEWINLOGONW.EXEwintsklt.exe

description	pid	process	target process
PID 1976 set thread context of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1256 set thread context of 2688	1256	USBDRVI.EXE	USBDRVI.EXE
PID 760 set thread context of 2792	760	DRVHDD.EXE	DRVHDD.EXE
PID 1452 set thread context of 2780	1452	WINLOGONW.EXE	WINLOGONW.EXE
PID 1764 set thread context of 2600	1764	WINCPU.EXE	WINCPU.EXE
PID 1524 set thread context of 1888	1524	USBDRVI.EXE	USBDRVI.EXE
PID 1428 set thread context of 1936	1428	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 1012 set thread context of 520	1012	WINLOGONW.EXE	WINLOGONW.EXE
PID 3016 set thread context of 976	3016	wintsklt.exe	wintsklt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2440 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1476 timeout.exe
NTFS ADS 1 IoCs

Processes:

WINPLAYEER.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINPLAYEER.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2624 PING.EXE

pid	process
2440	schtasks.exe

pid	process
1476	timeout.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE

pid	process
2624	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeDogecoin-Miner2022l.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeADOBESTV.EXEUSBDRVI.EXEWINLOGONW.EXEADOBESTV.EXEDRVHDD.EXEADOBESTV.EXE

pid	process
824	powershell.exe
1976	Dogecoin-Miner2022l.exe
1756	powershell.exe
1672	powershell.exe
452	powershell.exe
1588	powershell.exe
1636	powershell.exe
1180	powershell.exe
2116	powershell.exe
2156	powershell.exe
2196	powershell.exe
1808	ADOBESTV.EXE
1808	ADOBESTV.EXE
1256	USBDRVI.EXE
1256	USBDRVI.EXE
1452	WINLOGONW.EXE
1452	WINLOGONW.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
760	DRVHDD.EXE
760	DRVHDD.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1728	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE
1432	ADOBESTV.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUSBDRVI.EXEWINLOGONW.EXEDRVHDD.EXEADOBESTV.EXEADOBESTV.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEUSBDRVI.EXEDRVHDD.EXE

description	pid	process
Token: SeDebugPrivilege	824	powershell.exe
Token: SeIncreaseQuotaPrivilege	1808	InstallUtil.exe
Token: SeSecurityPrivilege	1808	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	1808	InstallUtil.exe
Token: SeLoadDriverPrivilege	1808	InstallUtil.exe
Token: SeSystemProfilePrivilege	1808	InstallUtil.exe
Token: SeSystemtimePrivilege	1808	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	1808	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1808	InstallUtil.exe
Token: SeCreatePagefilePrivilege	1808	InstallUtil.exe
Token: SeBackupPrivilege	1808	InstallUtil.exe
Token: SeRestorePrivilege	1808	InstallUtil.exe
Token: SeShutdownPrivilege	1808	InstallUtil.exe
Token: SeDebugPrivilege	1808	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	1808	InstallUtil.exe
Token: SeChangeNotifyPrivilege	1808	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	1808	InstallUtil.exe
Token: SeUndockPrivilege	1808	InstallUtil.exe
Token: SeManageVolumePrivilege	1808	InstallUtil.exe
Token: SeImpersonatePrivilege	1808	InstallUtil.exe
Token: SeCreateGlobalPrivilege	1808	InstallUtil.exe
Token: 33	1808	InstallUtil.exe
Token: 34	1808	InstallUtil.exe
Token: 35	1808	InstallUtil.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1256	USBDRVI.EXE
Token: SeDebugPrivilege	1452	WINLOGONW.EXE
Token: SeDebugPrivilege	760	DRVHDD.EXE
Token: SeDebugPrivilege	1728	ADOBESTV.EXE
Token: SeDebugPrivilege	1432	ADOBESTV.EXE
Token: SeDebugPrivilege	1012	WINLOGONW.EXE
Token: SeDebugPrivilege	1028	DRVHDD.EXE
Token: SeDebugPrivilege	1764	WINCPU.EXE
Token: SeDebugPrivilege	1524	USBDRVI.EXE
Token: SeIncreaseQuotaPrivilege	2792	DRVHDD.EXE
Token: SeSecurityPrivilege	2792	DRVHDD.EXE
Token: SeTakeOwnershipPrivilege	2792	DRVHDD.EXE
Token: SeLoadDriverPrivilege	2792	DRVHDD.EXE
Token: SeSystemProfilePrivilege	2792	DRVHDD.EXE
Token: SeSystemtimePrivilege	2792	DRVHDD.EXE
Token: SeProfSingleProcessPrivilege	2792	DRVHDD.EXE
Token: SeIncBasePriorityPrivilege	2792	DRVHDD.EXE
Token: SeCreatePagefilePrivilege	2792	DRVHDD.EXE
Token: SeBackupPrivilege	2792	DRVHDD.EXE
Token: SeRestorePrivilege	2792	DRVHDD.EXE
Token: SeShutdownPrivilege	2792	DRVHDD.EXE
Token: SeDebugPrivilege	2792	DRVHDD.EXE
Token: SeSystemEnvironmentPrivilege	2792	DRVHDD.EXE
Token: SeChangeNotifyPrivilege	2792	DRVHDD.EXE
Token: SeRemoteShutdownPrivilege	2792	DRVHDD.EXE
Token: SeUndockPrivilege	2792	DRVHDD.EXE
Token: SeManageVolumePrivilege	2792	DRVHDD.EXE
Token: SeImpersonatePrivilege	2792	DRVHDD.EXE
Token: SeCreateGlobalPrivilege	2792	DRVHDD.EXE
Token: 33	2792	DRVHDD.EXE
Token: 34	2792	DRVHDD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXE

pid process

1808 ADOBESTV.EXE
2792 DRVHDD.EXE
2688 USBDRVI.EXE

pid	process
1808	ADOBESTV.EXE
2792	DRVHDD.EXE
2688	USBDRVI.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dogecoin-Miner2022l.exeInstallUtil.exeADOBESTV.EXEUSBDRVI.EXEWINLOGONW.EXEDRVHDD.EXEWINPLAYEER.EXE

description	pid	process	target process
PID 1976 wrote to memory of 824	1976	Dogecoin-Miner2022l.exe	powershell.exe
PID 1976 wrote to memory of 824	1976	Dogecoin-Miner2022l.exe	powershell.exe
PID 1976 wrote to memory of 824	1976	Dogecoin-Miner2022l.exe	powershell.exe
PID 1976 wrote to memory of 824	1976	Dogecoin-Miner2022l.exe	powershell.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1976 wrote to memory of 1808	1976	Dogecoin-Miner2022l.exe	InstallUtil.exe
PID 1808 wrote to memory of 1728	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 1728	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 1728	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 1728	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 760	1808	InstallUtil.exe	DRVHDD.EXE
PID 1808 wrote to memory of 760	1808	InstallUtil.exe	DRVHDD.EXE
PID 1808 wrote to memory of 760	1808	InstallUtil.exe	DRVHDD.EXE
PID 1808 wrote to memory of 760	1808	InstallUtil.exe	DRVHDD.EXE
PID 1808 wrote to memory of 1256	1808	InstallUtil.exe	USBDRVI.EXE
PID 1808 wrote to memory of 1256	1808	InstallUtil.exe	USBDRVI.EXE
PID 1808 wrote to memory of 1256	1808	InstallUtil.exe	USBDRVI.EXE
PID 1808 wrote to memory of 1256	1808	InstallUtil.exe	USBDRVI.EXE
PID 1808 wrote to memory of 1944	1808	InstallUtil.exe	WINCPU.EXE
PID 1808 wrote to memory of 1944	1808	InstallUtil.exe	WINCPU.EXE
PID 1808 wrote to memory of 1944	1808	InstallUtil.exe	WINCPU.EXE
PID 1808 wrote to memory of 1944	1808	InstallUtil.exe	WINCPU.EXE
PID 1808 wrote to memory of 1452	1808	InstallUtil.exe	WINLOGONW.EXE
PID 1808 wrote to memory of 1452	1808	InstallUtil.exe	WINLOGONW.EXE
PID 1808 wrote to memory of 1452	1808	InstallUtil.exe	WINLOGONW.EXE
PID 1808 wrote to memory of 1452	1808	InstallUtil.exe	WINLOGONW.EXE
PID 1728 wrote to memory of 1672	1728	ADOBESTV.EXE	powershell.exe
PID 1728 wrote to memory of 1672	1728	ADOBESTV.EXE	powershell.exe
PID 1728 wrote to memory of 1672	1728	ADOBESTV.EXE	powershell.exe
PID 1728 wrote to memory of 1672	1728	ADOBESTV.EXE	powershell.exe
PID 1808 wrote to memory of 1600	1808	InstallUtil.exe	WINPLAYEER.EXE
PID 1808 wrote to memory of 1600	1808	InstallUtil.exe	WINPLAYEER.EXE
PID 1808 wrote to memory of 1600	1808	InstallUtil.exe	WINPLAYEER.EXE
PID 1808 wrote to memory of 1600	1808	InstallUtil.exe	WINPLAYEER.EXE
PID 1256 wrote to memory of 452	1256	USBDRVI.EXE	powershell.exe
PID 1256 wrote to memory of 452	1256	USBDRVI.EXE	powershell.exe
PID 1256 wrote to memory of 452	1256	USBDRVI.EXE	powershell.exe
PID 1256 wrote to memory of 452	1256	USBDRVI.EXE	powershell.exe
PID 1452 wrote to memory of 1756	1452	WINLOGONW.EXE	powershell.exe
PID 1452 wrote to memory of 1756	1452	WINLOGONW.EXE	powershell.exe
PID 1452 wrote to memory of 1756	1452	WINLOGONW.EXE	powershell.exe
PID 1452 wrote to memory of 1756	1452	WINLOGONW.EXE	powershell.exe
PID 760 wrote to memory of 1588	760	DRVHDD.EXE	powershell.exe
PID 760 wrote to memory of 1588	760	DRVHDD.EXE	powershell.exe
PID 760 wrote to memory of 1588	760	DRVHDD.EXE	powershell.exe
PID 760 wrote to memory of 1588	760	DRVHDD.EXE	powershell.exe
PID 1808 wrote to memory of 1432	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 1432	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 1432	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1808 wrote to memory of 1432	1808	InstallUtil.exe	ADOBESTV.EXE
PID 1600 wrote to memory of 756	1600	WINPLAYEER.EXE	powershell.exe
PID 1600 wrote to memory of 756	1600	WINPLAYEER.EXE	powershell.exe
PID 1600 wrote to memory of 756	1600	WINPLAYEER.EXE	powershell.exe
PID 1600 wrote to memory of 756	1600	WINPLAYEER.EXE	powershell.exe
PID 1808 wrote to memory of 1028	1808	InstallUtil.exe	DRVHDD.EXE

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ADOBESTV.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	ADOBESTV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	ADOBESTV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "0"	ADOBESTV.EXE

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022\Dogecoin-Miner2022l.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022\Dogecoin-Miner2022l.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:3040

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2096

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1808

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
5⤵
PID:2212

C:\Windows\SysWOW64\PING.EXE
ping 1.2.3.4 -n 2 -w 1000
6⤵
- Runs ping.exe
PID:2624

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
3⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2980

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2944

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
4⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
4⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
4⤵
- Executes dropped EXE
PID:1888

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
4⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
5⤵
- Creates scheduled task(s)
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp566B.tmp.bat""
5⤵
- Loads dropped DLL
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:1476

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
6⤵
- Executes dropped EXE
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
7⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
4⤵
- Executes dropped EXE
PID:520

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
PID:1936

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
PID:2568

C:\Users\Admin\Documents\wintsklt.exe
C:\Users\Admin\Documents\wintsklt.exe
6⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0de1c91738f0241517f7c98da491031e

SHA1
cde8c37c54df9f61b91ec7cd2cda6c27e36893cb

SHA256
5238dad283cb000d035684825f6a0ae2fb2131dbae4ab300c62dcd2ad5be4cb9

SHA512
24f724158b9e18683415181ac9baa4eb6a0b5ff78fe650bd6329d27091d211be8e8197f32ef447be7a6165cd7a70f9a15e8d1682f1a37a95a3a3faf91eaa8e63

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
memory/452-114-0x0000000000000000-mapping.dmp

Download
memory/452-191-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/452-157-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/452-184-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/520-340-0x0000000000405CE2-mapping.dmp

Download
memory/520-346-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/520-344-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/756-128-0x0000000000000000-mapping.dmp

Download
memory/760-80-0x0000000000000000-mapping.dmp

Download
memory/760-91-0x0000000000930000-0x00000000009D0000-memory.dmp

Filesize
640KB

Download
memory/760-103-0x0000000004BC0000-0x0000000004C48000-memory.dmp

Filesize
544KB

Download
memory/824-60-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/824-61-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/824-58-0x0000000000000000-mapping.dmp

Download
memory/824-62-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download
memory/976-376-0x0000000000406DE6-mapping.dmp

Download
memory/1012-143-0x0000000000000000-mapping.dmp

Download
memory/1028-130-0x0000000000000000-mapping.dmp

Download
memory/1180-188-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1180-156-0x0000000000000000-mapping.dmp

Download
memory/1180-175-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1180-259-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1256-97-0x0000000000AA0000-0x0000000000AFC000-memory.dmp

Filesize
368KB

Download
memory/1256-90-0x0000000000C50000-0x0000000000CC4000-memory.dmp

Filesize
464KB

Download
memory/1256-86-0x0000000000000000-mapping.dmp

Download
memory/1428-147-0x0000000000000000-mapping.dmp

Download
memory/1432-125-0x0000000000000000-mapping.dmp

Download
memory/1452-110-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

Filesize
360KB

Download
memory/1452-104-0x0000000000EE0000-0x0000000000F52000-memory.dmp

Filesize
456KB

Download
memory/1452-100-0x0000000000000000-mapping.dmp

Download
memory/1476-385-0x0000000000000000-mapping.dmp

Download
memory/1524-134-0x0000000000000000-mapping.dmp

Download
memory/1560-304-0x0000000000000000-mapping.dmp

Download
memory/1560-310-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-316-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-317-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-158-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-197-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-185-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-118-0x0000000000000000-mapping.dmp

Download
memory/1600-119-0x0000000000B00000-0x0000000000B5C000-memory.dmp

Filesize
368KB

Download
memory/1600-116-0x0000000000F50000-0x0000000000FC6000-memory.dmp

Filesize
472KB

Download
memory/1600-109-0x0000000000000000-mapping.dmp

Download
memory/1636-218-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-186-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-153-0x0000000000000000-mapping.dmp

Download
memory/1636-169-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-107-0x0000000000000000-mapping.dmp

Download
memory/1672-182-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-141-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-200-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-75-0x0000000000000000-mapping.dmp

Download
memory/1728-85-0x0000000004D90000-0x0000000004E32000-memory.dmp

Filesize
648KB

Download
memory/1728-78-0x00000000003D0000-0x000000000048A000-memory.dmp

Filesize
744KB

Download
memory/1756-115-0x0000000000000000-mapping.dmp

Download
memory/1756-183-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-201-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-151-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-155-0x00000000002B0000-0x0000000000300000-memory.dmp

Filesize
320KB

Download
memory/1764-139-0x0000000000000000-mapping.dmp

Download
memory/1808-73-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-178-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-69-0x00000000007B4ED0-mapping.dmp

Download
memory/1808-87-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-180-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-63-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-64-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-66-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-68-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1808-72-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1888-315-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1888-302-0x0000000000406DE6-mapping.dmp

Download
memory/1888-308-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1924-384-0x0000000000000000-mapping.dmp

Download
memory/1936-345-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1936-334-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1936-330-0x0000000000406DE6-mapping.dmp

Download
memory/1944-106-0x0000000000E10000-0x0000000000E78000-memory.dmp

Filesize
416KB

Download
memory/1944-95-0x0000000000000000-mapping.dmp

Download
memory/1976-56-0x0000000005230000-0x0000000005448000-memory.dmp

Filesize
2.1MB

Download
memory/1976-54-0x0000000000A90000-0x0000000000CB4000-memory.dmp

Filesize
2.1MB

Download
memory/1976-55-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1976-57-0x0000000002150000-0x000000000219C000-memory.dmp

Filesize
304KB

Download
memory/2116-244-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-160-0x0000000000000000-mapping.dmp

Download
memory/2116-187-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-170-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-389-0x0000000000000000-mapping.dmp

Download
memory/2156-245-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2156-161-0x0000000000000000-mapping.dmp

Download
memory/2156-189-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2156-176-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-177-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-162-0x0000000000000000-mapping.dmp

Download
memory/2196-256-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-190-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-381-0x0000000000000000-mapping.dmp

Download
memory/2264-350-0x0000000000000000-mapping.dmp

Download
memory/2440-361-0x0000000000000000-mapping.dmp

Download
memory/2568-357-0x0000000000000000-mapping.dmp

Download
memory/2600-179-0x0000000000000000-mapping.dmp

Download
memory/2600-289-0x000000000040C38E-mapping.dmp

Download
memory/2600-301-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2624-383-0x0000000000000000-mapping.dmp

Download
memory/2688-202-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-193-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-216-0x0000000000406DE6-mapping.dmp

Download
memory/2688-199-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-208-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-307-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-196-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-194-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-211-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-213-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2688-314-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2780-312-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-229-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-249-0x0000000000405CE2-mapping.dmp

Download
memory/2780-212-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-215-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-206-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-238-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-226-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-286-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-222-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2780-224-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2792-217-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2792-239-0x00000000004B56A0-mapping.dmp

Download
memory/2792-290-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2792-210-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2792-313-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2792-232-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2792-231-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2992-386-0x0000000000000000-mapping.dmp

Download
memory/3016-353-0x0000000000000000-mapping.dmp

Download
memory/3068-348-0x0000000000000000-mapping.dmp

Download