asyncrat | 96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2023 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dogecoin-Miner2022.exe
Size

5.8MB
MD5

e72b1feb2a030b80c0c5209dbdfc6b94
SHA1

bf5c2c1dc9a1f65938af801146022939216a4504
SHA256

96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365
SHA512

2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a
SSDEEP

98304:WHfHfHfHFH1m9kS4Wcv9PSQDBf3M3fWtUVtXHEtAYvzh:2///91m93NcvVSWVM3f8A

Score

10^/10

asyncrat darkcomet warzonerat @1++dec_code1 @333++jan_code3333 new-july-july4-0 new-july-july4-01 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

@333++JAN_Code3333

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3DU7V7J

Attributes

InstallPath
winrars.exe
gencode
Wv1Q34JHUltQ
install
true
offline_keylogger
true
password
hhhhhh
persistence
false
reg_key
winrar

Extracted

Family

darkcomet

Botnet

New-July-July4-01

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-U4BEN1Z

Attributes

gencode
8sAQdbHcGDto
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

@1++Dec_Code1

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-QKTE9F0

Attributes

gencode
mHPyGzxUU6he
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Dogecoin-Miner2022.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\winrars.exe"	Dogecoin-Miner2022.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3200-284-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 18 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1780-267-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1780-270-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/1780-274-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2284-298-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2284-301-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5028-304-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5028-307-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2284-309-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5028-310-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3312-341-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5116-342-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/3312-344-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2284-345-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/6096-346-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/6096-347-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2544-351-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/2544-356-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/3476-354-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Drops file in Drivers directory 4 IoCs

Processes:

Dogecoin-Miner2022.exeInstallUtil.exeDRVHDD.EXEDRVHDD.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Dogecoin-Miner2022.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE

Executes dropped EXE 37 IoCs

Processes:

ADOBEL.EXEMEDIAPL.EXEUSBDRVL.EXEWINAUDIO.EXEWININST.EXEwinrars.exeADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEwinrars.exewinrars.exewinrars.exewinrars.exewinrars.exeUSBDRVI.EXEUSBDRVI.EXEDRVHDD.EXEWINCPU.EXEWINPLAYEER.EXEWINLOGONW.EXEWINCPU.EXEUSBDRVI.EXEWINLOGONW.EXEWINPLAYEER.EXEDRVHDD.EXEWINLOGONW.EXEwintsklt.exeMEDIAPL.EXE

pid	process
3084	ADOBEL.EXE
1548	MEDIAPL.EXE
2428	USBDRVL.EXE
4244	WINAUDIO.EXE
2184	WININST.EXE
2448	winrars.exe
1412	ADOBESTV.EXE
3532	DRVHDD.EXE
1928	USBDRVI.EXE
1552	WINCPU.EXE
1316	WINLOGONW.EXE
3676	WINPLAYEER.EXE
1296	ADOBESTV.EXE
3160	DRVHDD.EXE
1444	USBDRVI.EXE
3724	WINCPU.EXE
1436	WINLOGONW.EXE
4808	WINPLAYEER.EXE
5708	winrars.exe
5884	winrars.exe
5972	winrars.exe
5996	winrars.exe
6036	winrars.exe
5488	USBDRVI.EXE
1780	USBDRVI.EXE
5516	DRVHDD.EXE
3200	WINCPU.EXE
2284	WINPLAYEER.EXE
5028	WINLOGONW.EXE
4356	WINCPU.EXE
3312	USBDRVI.EXE
3088	WINLOGONW.EXE
5116	WINPLAYEER.EXE
6000	DRVHDD.EXE
6096	WINLOGONW.EXE
5600	wintsklt.exe
1272	MEDIAPL.EXE

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4412-142-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/4412-144-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/4412-145-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/4412-146-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/4412-171-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/216-183-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/216-185-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/216-186-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/216-187-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/216-246-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/4632-259-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4632-261-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4632-262-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4632-271-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5516-276-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5516-278-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5516-281-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5516-279-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5516-287-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3112-297-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6000-340-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1272-348-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1272-349-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1272-350-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1272-352-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

USBDRVI.EXEWINLOGONW.EXEWINPLAYEER.EXEUSBDRVI.EXEWINCPU.EXEDogecoin-Miner2022.exeWININST.EXEWINCPU.EXEADOBESTV.EXEADOBESTV.EXEDRVHDD.EXEDRVHDD.EXEWINLOGONW.EXEWINPLAYEER.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Dogecoin-Miner2022.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WININST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE

Drops startup file 2 IoCs

Processes:

WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dogecoin-Miner2022.exeWINPLAYEER.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\winrars.exe"	Dogecoin-Miner2022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE

Suspicious use of SetThreadContext 15 IoCs

Processes:

Dogecoin-Miner2022.exeWININST.EXEADOBESTV.EXEUSBDRVI.EXEDRVHDD.EXEWINCPU.EXEADOBESTV.EXEWINPLAYEER.EXEWINLOGONW.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXEDRVHDD.EXEWINLOGONW.EXEMEDIAPL.EXE

description	pid	process	target process
PID 644 set thread context of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 2184 set thread context of 216	2184	WININST.EXE	InstallUtil.exe
PID 1412 set thread context of 4632	1412	ADOBESTV.EXE	InstallUtil.exe
PID 1928 set thread context of 1780	1928	USBDRVI.EXE	USBDRVI.EXE
PID 3532 set thread context of 5516	3532	DRVHDD.EXE	DRVHDD.EXE
PID 1552 set thread context of 3200	1552	WINCPU.EXE	WINCPU.EXE
PID 1296 set thread context of 3112	1296	ADOBESTV.EXE	InstallUtil.exe
PID 3676 set thread context of 2284	3676	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 1316 set thread context of 5028	1316	WINLOGONW.EXE	WINLOGONW.EXE
PID 3724 set thread context of 4356	3724	WINCPU.EXE	WINCPU.EXE
PID 1444 set thread context of 3312	1444	USBDRVI.EXE	USBDRVI.EXE
PID 4808 set thread context of 5116	4808	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 3160 set thread context of 6000	3160	DRVHDD.EXE	DRVHDD.EXE
PID 1436 set thread context of 6096	1436	WINLOGONW.EXE	WINLOGONW.EXE
PID 1548 set thread context of 1272	1548	MEDIAPL.EXE	MEDIAPL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

WINPLAYEER.EXE

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData WINPLAYEER.EXE

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dogecoin-Miner2022.exeUSBDRVL.EXEADOBEL.EXEMEDIAPL.EXEWINAUDIO.EXEwinrars.exepowershell.exeWININST.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
644	Dogecoin-Miner2022.exe
2428	USBDRVL.EXE
3084	ADOBEL.EXE
1548	MEDIAPL.EXE
4244	WINAUDIO.EXE
2428	USBDRVL.EXE
3084	ADOBEL.EXE
4244	WINAUDIO.EXE
1548	MEDIAPL.EXE
2448	winrars.exe
1164	powershell.exe
1164	powershell.exe
2448	winrars.exe
2184	WININST.EXE
2184	WININST.EXE
2184	WININST.EXE
2184	WININST.EXE
2184	WININST.EXE
2184	WININST.EXE
4852	powershell.exe
4852	powershell.exe
3148	powershell.exe
3148	powershell.exe
1216	powershell.exe
1216	powershell.exe
2088	powershell.exe
2088	powershell.exe
676	powershell.exe
676	powershell.exe
1564	powershell.exe
1564	powershell.exe
1716	powershell.exe
1716	powershell.exe
1920	powershell.exe
1920	powershell.exe
1632	powershell.exe
1632	powershell.exe
2224	powershell.exe
2224	powershell.exe
964	powershell.exe
964	powershell.exe
4228	powershell.exe
4228	powershell.exe
4852	powershell.exe
4852	powershell.exe
676	powershell.exe
3148	powershell.exe
3148	powershell.exe
1216	powershell.exe
1216	powershell.exe
1564	powershell.exe
2088	powershell.exe
2428	USBDRVL.EXE
2428	USBDRVL.EXE
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Dogecoin-Miner2022.exeDogecoin-Miner2022.exeADOBEL.EXEMEDIAPL.EXEUSBDRVL.EXEWINAUDIO.EXEwinrars.exepowershell.exeWININST.EXEInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	644	Dogecoin-Miner2022.exe
Token: SeIncreaseQuotaPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeSecurityPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeTakeOwnershipPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeLoadDriverPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeSystemProfilePrivilege	4412	Dogecoin-Miner2022.exe
Token: SeSystemtimePrivilege	4412	Dogecoin-Miner2022.exe
Token: SeProfSingleProcessPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeIncBasePriorityPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeCreatePagefilePrivilege	4412	Dogecoin-Miner2022.exe
Token: SeBackupPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeRestorePrivilege	4412	Dogecoin-Miner2022.exe
Token: SeShutdownPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeDebugPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeSystemEnvironmentPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeChangeNotifyPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeRemoteShutdownPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeUndockPrivilege	4412	Dogecoin-Miner2022.exe
Token: SeManageVolumePrivilege	4412	Dogecoin-Miner2022.exe
Token: SeImpersonatePrivilege	4412	Dogecoin-Miner2022.exe
Token: SeCreateGlobalPrivilege	4412	Dogecoin-Miner2022.exe
Token: 33	4412	Dogecoin-Miner2022.exe
Token: 34	4412	Dogecoin-Miner2022.exe
Token: 35	4412	Dogecoin-Miner2022.exe
Token: 36	4412	Dogecoin-Miner2022.exe
Token: SeDebugPrivilege	3084	ADOBEL.EXE
Token: SeDebugPrivilege	1548	MEDIAPL.EXE
Token: SeDebugPrivilege	2428	USBDRVL.EXE
Token: SeDebugPrivilege	4244	WINAUDIO.EXE
Token: SeDebugPrivilege	2448	winrars.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2184	WININST.EXE
Token: SeIncreaseQuotaPrivilege	216	InstallUtil.exe
Token: SeSecurityPrivilege	216	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	216	InstallUtil.exe
Token: SeLoadDriverPrivilege	216	InstallUtil.exe
Token: SeSystemProfilePrivilege	216	InstallUtil.exe
Token: SeSystemtimePrivilege	216	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	216	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	216	InstallUtil.exe
Token: SeCreatePagefilePrivilege	216	InstallUtil.exe
Token: SeBackupPrivilege	216	InstallUtil.exe
Token: SeRestorePrivilege	216	InstallUtil.exe
Token: SeShutdownPrivilege	216	InstallUtil.exe
Token: SeDebugPrivilege	216	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	216	InstallUtil.exe
Token: SeChangeNotifyPrivilege	216	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	216	InstallUtil.exe
Token: SeUndockPrivilege	216	InstallUtil.exe
Token: SeManageVolumePrivilege	216	InstallUtil.exe
Token: SeImpersonatePrivilege	216	InstallUtil.exe
Token: SeCreateGlobalPrivilege	216	InstallUtil.exe
Token: 33	216	InstallUtil.exe
Token: 34	216	InstallUtil.exe
Token: 35	216	InstallUtil.exe
Token: 36	216	InstallUtil.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

InstallUtil.exeInstallUtil.exeDRVHDD.EXE

pid process

216 InstallUtil.exe
4632 InstallUtil.exe
5516 DRVHDD.EXE

pid	process
216	InstallUtil.exe
4632	InstallUtil.exe
5516	DRVHDD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dogecoin-Miner2022.exeDogecoin-Miner2022.exeWININST.EXE

description	pid	process	target process
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1828	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 3048	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1112	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 1560	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 644 wrote to memory of 4412	644	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 4412 wrote to memory of 3084	4412	Dogecoin-Miner2022.exe	ADOBEL.EXE
PID 4412 wrote to memory of 3084	4412	Dogecoin-Miner2022.exe	ADOBEL.EXE
PID 4412 wrote to memory of 3084	4412	Dogecoin-Miner2022.exe	ADOBEL.EXE
PID 4412 wrote to memory of 1548	4412	Dogecoin-Miner2022.exe	MEDIAPL.EXE
PID 4412 wrote to memory of 1548	4412	Dogecoin-Miner2022.exe	MEDIAPL.EXE
PID 4412 wrote to memory of 1548	4412	Dogecoin-Miner2022.exe	MEDIAPL.EXE
PID 4412 wrote to memory of 2428	4412	Dogecoin-Miner2022.exe	USBDRVL.EXE
PID 4412 wrote to memory of 2428	4412	Dogecoin-Miner2022.exe	USBDRVL.EXE
PID 4412 wrote to memory of 2428	4412	Dogecoin-Miner2022.exe	USBDRVL.EXE
PID 4412 wrote to memory of 4244	4412	Dogecoin-Miner2022.exe	WINAUDIO.EXE
PID 4412 wrote to memory of 4244	4412	Dogecoin-Miner2022.exe	WINAUDIO.EXE
PID 4412 wrote to memory of 4244	4412	Dogecoin-Miner2022.exe	WINAUDIO.EXE
PID 4412 wrote to memory of 2184	4412	Dogecoin-Miner2022.exe	WININST.EXE
PID 4412 wrote to memory of 2184	4412	Dogecoin-Miner2022.exe	WININST.EXE
PID 4412 wrote to memory of 2184	4412	Dogecoin-Miner2022.exe	WININST.EXE
PID 4412 wrote to memory of 2448	4412	Dogecoin-Miner2022.exe	winrars.exe
PID 4412 wrote to memory of 2448	4412	Dogecoin-Miner2022.exe	winrars.exe
PID 4412 wrote to memory of 2448	4412	Dogecoin-Miner2022.exe	winrars.exe
PID 2184 wrote to memory of 1164	2184	WININST.EXE	powershell.exe
PID 2184 wrote to memory of 1164	2184	WININST.EXE	powershell.exe
PID 2184 wrote to memory of 1164	2184	WININST.EXE	powershell.exe
PID 2184 wrote to memory of 320	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 320	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 320	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 216	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 216	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 216	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 216	2184	WININST.EXE	InstallUtil.exe
PID 2184 wrote to memory of 216	2184	WININST.EXE	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
2⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
2⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
2⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
2⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE"
4⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
"C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
"C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE"
4⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
4⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\WININST.EXE
"C:\Users\Admin\AppData\Local\Temp\WININST.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:6128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:6140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5516

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
6⤵
- Executes dropped EXE
PID:5488

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
6⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
6⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
6⤵
- Executes dropped EXE
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
6⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:2284

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
7⤵
- Executes dropped EXE
PID:5600

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:6000

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
6⤵
- Executes dropped EXE
PID:3312

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
6⤵
- Executes dropped EXE
PID:4356

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
6⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
6⤵
- Executes dropped EXE
PID:6096

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
6⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:2496

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5708

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5884

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5972

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5996

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:6036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADOBESTV.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\USBDRVI.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPU.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
99ef4083ee7308e0af175e8d558afa30

SHA1
08b8d15cce20e7d5efa130ed45a319756fde298c

SHA256
2f5923dd86202a7913f48d534c623cfbf46e14e5a2a45972b7227efc5f2c0d77

SHA512
db7dc2b84a753d24dafe307b1ed5b7d737e78046d993fd0c6b1b0539da04d2573c33fdcbd7826ae93006a759ee9d5bddecd7aac211ae98b406466b7ec6a96e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e501cadef4e48f5925319bb84706be74

SHA1
462882b86366f7ab1f96b439770973c03ebec677

SHA256
d945964e26a4cc9fbcf5750ba62797fdd092ed2399c697ad7303661e15542cb2

SHA512
3a98fb6e62c2a6d0a85c130293c54e6f6e038f2ad4036d64758e0b8a0be84ef5e41b4fbe005379a74ff6b9e52325e85c7503f6cec8c1b225cb6ca36ee93db722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
b424643e547c8c54cc6ea22a493f0bd5

SHA1
a2fd8ac8798a43a900a9b3c2b78d22cb1d363ee5

SHA256
9022d1998fa5685bd016a7cf55da1f2e306bc5a012092f1a3088ba8dae151621

SHA512
6ed083c201dddf927d5f975c74fb722bb4c837d94b3ed70de4fd9af465d7a3239cb4b3228528b7592bddf9c65adf94a82147076f05691488da2d8065b346a9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
5fceb13cb3ae943a3d8d50a512476ce7

SHA1
b1d4782242b28a7c75e08f19b393d62226ea1c74

SHA256
286798eeffe8b3d76116202441a5c31b421aa9373a90b9f056d14fd252307b28

SHA512
d139d83ea8faa133e7f2705311296e82a858520aca4e8d990f4c445c91f0520210963b1040616f9365d3bdfa90d23012923f313ec322739d2f909743bcc4f8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
87578cf5bcd5d9c3e365742daaa0cd82

SHA1
88bfa9504d572c59c18dee9085c1f775755596d4

SHA256
023cea5b8d415fed5daaf87aae420d982b9ddcbadc6fe9906a98ced42f9a11b9

SHA512
86bf021cd239c709d37d4c3a2016295bb0022a28865f7d2419553d55f764fe17eebb6ae524b43bd73dd0d47f554f88ebbbf941e3796aed76e4d004bd4f852ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9a6fe6f10f3bb434dc50ed45f84c41f6

SHA1
1ccaa05a350a1b551beb904de909d09dabdcbf51

SHA256
6a9e7673d20b850fad46c3267a3757a4919f5552902c1d4466522177873ffd7f

SHA512
8a1835d548bf90d3ba8006cd08ed585a45868f6b39d54d485f335ff99f9c540a993186084f1462b75fe63a96ebb182dd772025bc58c33d9239d7ef692d99a0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
b4cdb9cf7d0b040b566786bda94a0a69

SHA1
d628de1baafa1b87a7370db7a3908b146a5bfae0

SHA256
4bee55d62224304864a653209744affbec6e8f1e4afd794237507887d82ef179

SHA512
232309c4e7dd13d54b8eeeeb33ab15f1ae14738198995449fb0e5bd6614234304e9d32e7ddda62cc2c4534641782a3de881c512fca85363c3529d14a0630e8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
d6e3e98c8908051e8711ba9fa9abfe7d

SHA1
d969442603ad689884d34c8a9effbe63482e56fe

SHA256
374a396285e0c7789a4b293f6b171de73079573503b88bd69464235c075dbf87

SHA512
0b396c25689c82704c0f125875ac03a70a6a5fa76b1da7373ddf9dabbdfa13991b4df5c27ff2c747099229f9e00c786f23be3bdf74f487842bc661f611e7aec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
83f106d967a6df0398934243a4ff86d5

SHA1
ecd699f3ade619100eb2503f261402cec8852fb3

SHA256
d6adc762384372460ca48386678611f5a15e50f63a93e2329ac1b3fb0b4aed3e

SHA512
29b091ea937f120c6712f62e27dee4b7713fd6e0d58738d7eb51e804615bbd5dbe28c6f9b27b56f8cb486a8e4075ddc8723c2eeafbcc97baf046f454c6066a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
6989ca189d5f3bc2f4ea8559ec7729a6

SHA1
d8b22f410816af490c351d0d9902836cc9b3a6b5

SHA256
9732383c8a0d4a4f492bc9288721124f3428ba1b1b2550449219d3dc1aee922c

SHA512
f2831631c58047d32a4cac76683799c561f9a4d0e840a29e622e752d461f2b098b171da93cee5ee0c782e7b8da29e78daf1f1c82550fd67f30c454786667b52c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ddd2deb4ac097a2b64c8306f86772e9f

SHA1
0b573b93bc5d8a7b26fae3545b415c8b7c9b4fbb

SHA256
82d9a5251101811925e22b76df997c431d2f491d065e6c66f0102b32bdc9d439

SHA512
431a55ee5d76f958447384bb24559466c59dce6b96f961c5e9ce3b6cba4418d7858a3cb2af25513f34b9ae1d6782904c97068f913661eca60852f2b9993416db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
c9e1dc199805be4d5344b178746cf4d9

SHA1
ee7ac08477483d6b0bc84449c8e3387120b768b2

SHA256
d7264810728fc1614eb86c6b43434e11772d3e206004c79e2415d684a070998b

SHA512
7bceccc4ec97705a0c3a028ea7b97bfaed3c334f80d5f3111aa201e130a4c2cf28ff220111f5eb8b4f75f2b86a69727c60dbb32d19c8ffcf8e20decdea24dcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
Filesize
985KB

MD5
fad81a8f80f87e9b17b2a3dce00668f6

SHA1
8d9e668075212b0f03b80074e4eb504641fb777c

SHA256
c56a8eafee823b1b1314ada0a16f5c605161a8124058d074aac024a35da6510a

SHA512
ec5da33612b05fd6230b52b99423fb65757c8c358310dde007aaec1664fce37ab3891cfb447e1961da3309434a0c3bc54dd94f7f7c016beb7f1f407c8e18bb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
Filesize
985KB

MD5
fad81a8f80f87e9b17b2a3dce00668f6

SHA1
8d9e668075212b0f03b80074e4eb504641fb777c

SHA256
c56a8eafee823b1b1314ada0a16f5c605161a8124058d074aac024a35da6510a

SHA512
ec5da33612b05fd6230b52b99423fb65757c8c358310dde007aaec1664fce37ab3891cfb447e1961da3309434a0c3bc54dd94f7f7c016beb7f1f407c8e18bb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
Filesize
1.0MB

MD5
394a78e8ca31affd5a96db8f22ff965a

SHA1
14671b470360ccce32727e1358d4be009f770a60

SHA256
55cae6c7ed0fdf78bb508d16486aff62b28e12f71673eb0d8da677d9b2c9083b

SHA512
b0559026884d91710c95c1f34ef32226ace8d27149c4ca6fa845ad7c78967d37e296d5dc0067f220bb3980b9b9a7233250c4d65bb63c8c7d88602f32d3a6b5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
Filesize
1.0MB

MD5
394a78e8ca31affd5a96db8f22ff965a

SHA1
14671b470360ccce32727e1358d4be009f770a60

SHA256
55cae6c7ed0fdf78bb508d16486aff62b28e12f71673eb0d8da677d9b2c9083b

SHA512
b0559026884d91710c95c1f34ef32226ace8d27149c4ca6fa845ad7c78967d37e296d5dc0067f220bb3980b9b9a7233250c4d65bb63c8c7d88602f32d3a6b5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE
Filesize
460KB

MD5
f801a1ed5cc85679c8531f6b8615d4bb

SHA1
27ce78dee6bfaec60168919a4ebbe7018b1ed221

SHA256
c4620c2664fdc755792d04f2c7c4fa6fa7895a84f71f8c249345d630c60b4a92

SHA512
39200249fb2fbb6521ebc7b321bcd5c2f8e39b2b1bf7d7da48fd7ffc5e7115d8220dbab3939431dca87f7723076b8bb0d01888d32a688d26d1f08c5bee41d465

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE
Filesize
460KB

MD5
f801a1ed5cc85679c8531f6b8615d4bb

SHA1
27ce78dee6bfaec60168919a4ebbe7018b1ed221

SHA256
c4620c2664fdc755792d04f2c7c4fa6fa7895a84f71f8c249345d630c60b4a92

SHA512
39200249fb2fbb6521ebc7b321bcd5c2f8e39b2b1bf7d7da48fd7ffc5e7115d8220dbab3939431dca87f7723076b8bb0d01888d32a688d26d1f08c5bee41d465

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WININST.EXE
Filesize
2.1MB

MD5
363e16c17f14b6afc2b4d76a5bcd6d92

SHA1
d13feb1cce32abf5b9d6790c3c1b0b802b555daf

SHA256
7ffb773e458a7d40d4d4c0163bf24b0a0c266c7f6ab3ccba830d259fba5a3970

SHA512
3ada9b4b9d28c7dd552e918255460219c1316e147456b55867f2f31a268f80cad6aa4139feee4f546348fd7662d9f330d11cb08c1894b74199ca37a304b1e46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WININST.EXE
Filesize
2.1MB

MD5
363e16c17f14b6afc2b4d76a5bcd6d92

SHA1
d13feb1cce32abf5b9d6790c3c1b0b802b555daf

SHA256
7ffb773e458a7d40d4d4c0163bf24b0a0c266c7f6ab3ccba830d259fba5a3970

SHA512
3ada9b4b9d28c7dd552e918255460219c1316e147456b55867f2f31a268f80cad6aa4139feee4f546348fd7662d9f330d11cb08c1894b74199ca37a304b1e46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/216-183-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/216-182-0x0000000000000000-mapping.dmp

Download
memory/216-246-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/216-185-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/216-186-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/216-187-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/320-181-0x0000000000000000-mapping.dmp

Download
memory/644-132-0x0000000000A20000-0x0000000000FFA000-memory.dmp

Filesize
5.9MB

Download
memory/644-135-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/644-136-0x000000000BFA0000-0x000000000BFAA000-memory.dmp

Filesize
40KB

Download
memory/644-133-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/644-134-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/676-226-0x0000000000000000-mapping.dmp

Download
memory/964-240-0x0000000000000000-mapping.dmp

Download
memory/1112-139-0x0000000000000000-mapping.dmp

Download
memory/1164-180-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/1164-173-0x0000000004870000-0x00000000048A6000-memory.dmp

Filesize
216KB

Download
memory/1164-177-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/1164-178-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/1164-172-0x0000000000000000-mapping.dmp

Download
memory/1164-179-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/1164-176-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/1164-175-0x0000000004E80000-0x0000000004EA2000-memory.dmp

Filesize
136KB

Download
memory/1164-174-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/1216-222-0x0000000000000000-mapping.dmp

Download
memory/1272-348-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1272-350-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1272-349-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1272-235-0x0000000000000000-mapping.dmp

Download
memory/1272-352-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1296-213-0x0000000000000000-mapping.dmp

Download
memory/1316-211-0x0000000000F10000-0x0000000000F82000-memory.dmp

Filesize
456KB

Download
memory/1316-202-0x0000000000000000-mapping.dmp

Download
memory/1412-189-0x0000000000000000-mapping.dmp

Download
memory/1412-192-0x00000000006C0000-0x000000000077A000-memory.dmp

Filesize
744KB

Download
memory/1436-224-0x0000000000000000-mapping.dmp

Download
memory/1444-217-0x0000000000000000-mapping.dmp

Download
memory/1548-150-0x0000000000000000-mapping.dmp

Download
memory/1548-155-0x0000000000270000-0x0000000000378000-memory.dmp

Filesize
1.0MB

Download
memory/1552-200-0x0000000000000000-mapping.dmp

Download
memory/1552-208-0x0000000000B70000-0x0000000000BD8000-memory.dmp

Filesize
416KB

Download
memory/1560-140-0x0000000000000000-mapping.dmp

Download
memory/1564-231-0x0000000000000000-mapping.dmp

Download
memory/1632-234-0x0000000000000000-mapping.dmp

Download
memory/1716-232-0x0000000000000000-mapping.dmp

Download
memory/1780-274-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1780-270-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1780-267-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1780-266-0x0000000000000000-mapping.dmp

Download
memory/1828-137-0x0000000000000000-mapping.dmp

Download
memory/1920-233-0x0000000000000000-mapping.dmp

Download
memory/1928-201-0x00000000005F0000-0x0000000000664000-memory.dmp

Filesize
464KB

Download
memory/1928-196-0x0000000000000000-mapping.dmp

Download
memory/2088-228-0x0000000000000000-mapping.dmp

Download
memory/2184-166-0x0000000000C30000-0x0000000000E56000-memory.dmp

Filesize
2.1MB

Download
memory/2184-162-0x0000000000000000-mapping.dmp

Download
memory/2224-236-0x0000000000000000-mapping.dmp

Download
memory/2284-301-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2284-309-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2284-345-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2284-298-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2284-294-0x0000000000000000-mapping.dmp

Download
memory/2428-161-0x00000000000E0000-0x000000000015A000-memory.dmp

Filesize
488KB

Download
memory/2428-154-0x0000000000000000-mapping.dmp

Download
memory/2448-167-0x0000000000000000-mapping.dmp

Download
memory/2448-170-0x00000000007D0000-0x0000000000DAA000-memory.dmp

Filesize
5.9MB

Download
memory/2544-237-0x0000000000000000-mapping.dmp

Download
memory/2544-351-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2544-356-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3048-138-0x0000000000000000-mapping.dmp

Download
memory/3084-147-0x0000000000000000-mapping.dmp

Download
memory/3084-153-0x0000000000970000-0x0000000000A6C000-memory.dmp

Filesize
1008KB

Download
memory/3088-326-0x0000000000000000-mapping.dmp

Download
memory/3112-297-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3112-289-0x0000000000000000-mapping.dmp

Download
memory/3148-220-0x0000000000000000-mapping.dmp

Download
memory/3160-215-0x0000000000000000-mapping.dmp

Download
memory/3200-283-0x0000000000000000-mapping.dmp

Download
memory/3200-284-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3312-316-0x0000000000000000-mapping.dmp

Download
memory/3312-341-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3312-344-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3476-239-0x0000000000000000-mapping.dmp

Download
memory/3476-357-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3476-354-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/3532-193-0x0000000000000000-mapping.dmp

Download
memory/3532-199-0x0000000000350000-0x00000000003F0000-memory.dmp

Filesize
640KB

Download
memory/3676-207-0x0000000000000000-mapping.dmp

Download
memory/3676-212-0x0000000000310000-0x0000000000386000-memory.dmp

Filesize
472KB

Download
memory/3724-221-0x0000000000000000-mapping.dmp

Download
memory/4048-238-0x0000000000000000-mapping.dmp

Download
memory/4228-241-0x0000000000000000-mapping.dmp

Download
memory/4244-158-0x0000000000000000-mapping.dmp

Download
memory/4244-163-0x0000000000DE0000-0x0000000000E90000-memory.dmp

Filesize
704KB

Download
memory/4356-311-0x0000000000000000-mapping.dmp

Download
memory/4412-142-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4412-146-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4412-141-0x0000000000000000-mapping.dmp

Download
memory/4412-145-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4412-171-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4412-144-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4632-258-0x0000000000000000-mapping.dmp

Download
memory/4632-271-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4632-262-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4632-261-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4632-273-0x000000006E880000-0x000000006E8B9000-memory.dmp

Filesize
228KB

Download
memory/4632-259-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4808-227-0x0000000000000000-mapping.dmp

Download
memory/4852-216-0x0000000000000000-mapping.dmp

Download
memory/5028-307-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5028-310-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5028-303-0x0000000000000000-mapping.dmp

Download
memory/5028-304-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5116-342-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5488-264-0x0000000000000000-mapping.dmp

Download
memory/5516-287-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5516-276-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5516-279-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5516-281-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5516-278-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5516-275-0x0000000000000000-mapping.dmp

Download
memory/5644-243-0x0000000000000000-mapping.dmp

Download
memory/5708-244-0x0000000000000000-mapping.dmp

Download
memory/5884-248-0x0000000000000000-mapping.dmp

Download
memory/5972-250-0x0000000000000000-mapping.dmp

Download
memory/5996-252-0x0000000000000000-mapping.dmp

Download
memory/6000-340-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6000-323-0x0000000000000000-mapping.dmp

Download
memory/6036-254-0x0000000000000000-mapping.dmp

Download
memory/6052-343-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/6052-313-0x0000000000000000-mapping.dmp

Download
memory/6096-346-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6096-347-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/6096-328-0x0000000000000000-mapping.dmp

Download
memory/6128-256-0x0000000000000000-mapping.dmp

Download
memory/6140-257-0x0000000000000000-mapping.dmp

Download