asyncrat | 96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dogecoin-Miner2022.exe
Size

5.8MB
MD5

e72b1feb2a030b80c0c5209dbdfc6b94
SHA1

bf5c2c1dc9a1f65938af801146022939216a4504
SHA256

96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365
SHA512

2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a
SSDEEP

98304:WHfHfHfHFH1m9kS4Wcv9PSQDBf3M3fWtUVtXHEtAYvzh:2///91m93NcvVSWVM3f8A

Score

10^/10

asyncrat darkcomet warzonerat @1++dec_code1 @333++jan_code3333 new-july-july4-0 new-july-july4-01 infostealer persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

@333++JAN_Code3333

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3DU7V7J

Attributes

InstallPath
winrars.exe
gencode
Wv1Q34JHUltQ
install
true
offline_keylogger
true
password
hhhhhh
persistence
false
reg_key
winrar

Extracted

Family

darkcomet

Botnet

New-July-July4-01

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-U4BEN1Z

Attributes

gencode
8sAQdbHcGDto
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

dgorijan20785.hopto.org:5199

45.74.4.244:5199

dgorijan20785.hopto.org:5200

Extracted

Family

darkcomet

Botnet

@1++Dec_Code1

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-QKTE9F0

Attributes

gencode
mHPyGzxUU6he
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Dogecoin-Miner2022.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\winrars.exe"	Dogecoin-Miner2022.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/6100-256-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/5560-358-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Warzone RAT payload 26 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5952-281-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5952-285-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5288-288-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5288-291-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5952-293-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5288-294-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4980-333-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4980-321-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4980-309-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2532-341-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4208-342-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1568-344-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5288-345-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/2532-346-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4208-347-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/5356-353-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5356-357-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5356-360-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5952-364-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/4980-365-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1568-366-0x0000000000400000-0x0000000000559000-memory.dmp	warzonerat
behavioral2/memory/5984-367-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5984-369-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5984-370-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5984-371-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat
behavioral2/memory/5356-374-0x0000000000400000-0x0000000000568000-memory.dmp	warzonerat

Drops file in Drivers directory 5 IoCs

Processes:

Dogecoin-Miner2022.exeInstallUtil.exeDRVHDD.EXEDRVHDD.EXEMEDIAPL.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Dogecoin-Miner2022.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DRVHDD.EXE
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MEDIAPL.EXE

Executes dropped EXE 45 IoCs

Processes:

ADOBEL.EXEMEDIAPL.EXEUSBDRVL.EXEWINAUDIO.EXEWININST.EXEwinrars.exeADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEADOBESTV.EXEDRVHDD.EXEUSBDRVI.EXEWINCPU.EXEWINLOGONW.EXEWINPLAYEER.EXEWINAUDIO.EXEWINAUDIO.EXEwinrars.exeWINAUDIO.EXEwinrars.exewinrars.exeWINCPU.EXEWINCPU.EXEDRVHDD.EXEDRVHDD.EXEDRVHDD.EXEUSBDRVI.EXEWINPLAYEER.EXEUSBDRVI.EXEWINLOGONW.EXEWINCPU.EXEWINLOGONW.EXEDRVHDD.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXEWINLOGONW.EXEwintsklt.exeMEDIAPL.EXEADOBEL.EXEWINAUDIO.EXEimages.exe

pid	process
4548	ADOBEL.EXE
2520	MEDIAPL.EXE
3984	USBDRVL.EXE
4796	WINAUDIO.EXE
556	WININST.EXE
4764	winrars.exe
1268	ADOBESTV.EXE
3816	DRVHDD.EXE
2108	USBDRVI.EXE
4208	WINCPU.EXE
4912	WINLOGONW.EXE
4064	WINPLAYEER.EXE
1180	ADOBESTV.EXE
1272	DRVHDD.EXE
2624	USBDRVI.EXE
364	WINCPU.EXE
4296	WINLOGONW.EXE
2064	WINPLAYEER.EXE
5372	WINAUDIO.EXE
5740	WINAUDIO.EXE
5844	winrars.exe
5924	WINAUDIO.EXE
5964	winrars.exe
5996	winrars.exe
6084	WINCPU.EXE
6100	WINCPU.EXE
5464	DRVHDD.EXE
5256	DRVHDD.EXE
5216	DRVHDD.EXE
5952	USBDRVI.EXE
5288	WINPLAYEER.EXE
1936	USBDRVI.EXE
4980	WINLOGONW.EXE
6112	WINCPU.EXE
2736	WINLOGONW.EXE
6108	DRVHDD.EXE
1308	WINCPU.EXE
2532	USBDRVI.EXE
1568	WINPLAYEER.EXE
4208	WINLOGONW.EXE
3540	wintsklt.exe
5340	MEDIAPL.EXE
5356	ADOBEL.EXE
5984	WINAUDIO.EXE
5208	images.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1592-138-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/1592-140-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/1592-141-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/1592-142-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/1592-168-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/3848-178-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3848-180-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3848-181-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3848-195-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/3848-244-0x0000000000400000-0x00000000007B8000-memory.dmp	upx
behavioral2/memory/5216-265-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5216-267-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5216-268-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5216-269-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5628-274-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5628-276-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5628-278-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5628-282-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5216-280-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1336-331-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/6108-335-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6108-339-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5340-351-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5340-354-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5340-356-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5340-352-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5340-359-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5628-362-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5340-373-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/6020-377-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/6020-378-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx
behavioral2/memory/6020-379-0x0000000000400000-0x0000000000A0A000-memory.dmp	upx

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DRVHDD.EXEDRVHDD.EXEWINLOGONW.EXEwintsklt.exeUSBDRVI.EXEDogecoin-Miner2022.exeWININST.EXEWINLOGONW.EXEADOBESTV.EXEUSBDRVI.EXEWINCPU.EXEWINCPU.EXEADOBESTV.EXEWINCPU.EXEWINPLAYEER.EXEWINPLAYEER.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DRVHDD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wintsklt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Dogecoin-Miner2022.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WININST.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINLOGONW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	USBDRVI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ADOBESTV.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINCPU.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINPLAYEER.EXE

Drops startup file 4 IoCs

Processes:

WINPLAYEER.EXEWINAUDIO.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINPLAYEER.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINPLAYEER.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	WINAUDIO.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	WINAUDIO.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dogecoin-Miner2022.exeWINPLAYEER.EXEWINAUDIO.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\Documents\\winrars.exe"	Dogecoin-Miner2022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wintask = "C:\\Users\\Admin\\Documents\\wintsklt.exe"	WINPLAYEER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe"	WINAUDIO.EXE

Suspicious use of SetThreadContext 18 IoCs

Processes:

Dogecoin-Miner2022.exeWININST.EXEWINCPU.EXEDRVHDD.EXEADOBESTV.EXEUSBDRVI.EXEWINPLAYEER.EXEWINLOGONW.EXEADOBESTV.EXEDRVHDD.EXEWINCPU.EXEUSBDRVI.EXEWINPLAYEER.EXEWINLOGONW.EXEMEDIAPL.EXEADOBEL.EXEUSBDRVL.EXEWINAUDIO.EXE

description	pid	process	target process
PID 1112 set thread context of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 556 set thread context of 3848	556	WININST.EXE	InstallUtil.exe
PID 4208 set thread context of 6100	4208	WINCPU.EXE	WINCPU.EXE
PID 3816 set thread context of 5216	3816	DRVHDD.EXE	DRVHDD.EXE
PID 1268 set thread context of 5628	1268	ADOBESTV.EXE	InstallUtil.exe
PID 2108 set thread context of 5952	2108	USBDRVI.EXE	USBDRVI.EXE
PID 4064 set thread context of 5288	4064	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 4296 set thread context of 4980	4296	WINLOGONW.EXE	WINLOGONW.EXE
PID 1180 set thread context of 1336	1180	ADOBESTV.EXE	InstallUtil.exe
PID 1272 set thread context of 6108	1272	DRVHDD.EXE	DRVHDD.EXE
PID 364 set thread context of 1308	364	WINCPU.EXE	WINCPU.EXE
PID 2624 set thread context of 2532	2624	USBDRVI.EXE	USBDRVI.EXE
PID 2064 set thread context of 1568	2064	WINPLAYEER.EXE	WINPLAYEER.EXE
PID 4912 set thread context of 4208	4912	WINLOGONW.EXE	WINLOGONW.EXE
PID 2520 set thread context of 5340	2520	MEDIAPL.EXE	MEDIAPL.EXE
PID 4548 set thread context of 5356	4548	ADOBEL.EXE	ADOBEL.EXE
PID 3984 set thread context of 5560	3984	USBDRVL.EXE	InstallUtil.exe
PID 4796 set thread context of 5984	4796	WINAUDIO.EXE	WINAUDIO.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4088 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5808 timeout.exe

pid	process
4088	schtasks.exe

pid	process
5808	timeout.exe

NTFS ADS 2 IoCs

Processes:

WINPLAYEER.EXEWINAUDIO.EXE

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	WINPLAYEER.EXE
File opened for modification	C:\Users\Admin\Documents\Documents:ApplicationData	WINAUDIO.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dogecoin-Miner2022.exeADOBEL.EXEMEDIAPL.EXEWINAUDIO.EXEUSBDRVL.EXEpowershell.exewinrars.exeWININST.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1112	Dogecoin-Miner2022.exe
1112	Dogecoin-Miner2022.exe
4548	ADOBEL.EXE
2520	MEDIAPL.EXE
4796	WINAUDIO.EXE
3984	USBDRVL.EXE
4548	ADOBEL.EXE
4796	WINAUDIO.EXE
2520	MEDIAPL.EXE
3984	USBDRVL.EXE
4976	powershell.exe
4764	winrars.exe
4976	powershell.exe
4764	winrars.exe
556	WININST.EXE
556	WININST.EXE
2680	powershell.exe
4972	powershell.exe
2680	powershell.exe
4972	powershell.exe
3012	powershell.exe
3012	powershell.exe
5100	powershell.exe
5100	powershell.exe
5080	powershell.exe
5080	powershell.exe
1908	powershell.exe
1908	powershell.exe
4156	powershell.exe
4156	powershell.exe
2400	powershell.exe
2400	powershell.exe
1640	powershell.exe
1640	powershell.exe
1516	powershell.exe
1516	powershell.exe
2384	powershell.exe
2384	powershell.exe
2212	powershell.exe
2212	powershell.exe
2680	powershell.exe
2680	powershell.exe
5100	powershell.exe
5100	powershell.exe
4972	powershell.exe
4972	powershell.exe
3012	powershell.exe
3012	powershell.exe
5080	powershell.exe
5080	powershell.exe
4156	powershell.exe
2400	powershell.exe
1908	powershell.exe
1908	powershell.exe
4796	WINAUDIO.EXE
4796	WINAUDIO.EXE
1640	powershell.exe
2212	powershell.exe
1516	powershell.exe
2384	powershell.exe
4796	WINAUDIO.EXE
4796	WINAUDIO.EXE
4764	winrars.exe
4764	winrars.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Dogecoin-Miner2022.exeDogecoin-Miner2022.exeADOBEL.EXEMEDIAPL.EXEWINAUDIO.EXEUSBDRVL.EXEwinrars.exepowershell.exeInstallUtil.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1112	Dogecoin-Miner2022.exe
Token: SeIncreaseQuotaPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeSecurityPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeTakeOwnershipPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeLoadDriverPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeSystemProfilePrivilege	1592	Dogecoin-Miner2022.exe
Token: SeSystemtimePrivilege	1592	Dogecoin-Miner2022.exe
Token: SeProfSingleProcessPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeIncBasePriorityPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeCreatePagefilePrivilege	1592	Dogecoin-Miner2022.exe
Token: SeBackupPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeRestorePrivilege	1592	Dogecoin-Miner2022.exe
Token: SeShutdownPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeDebugPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeSystemEnvironmentPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeChangeNotifyPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeRemoteShutdownPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeUndockPrivilege	1592	Dogecoin-Miner2022.exe
Token: SeManageVolumePrivilege	1592	Dogecoin-Miner2022.exe
Token: SeImpersonatePrivilege	1592	Dogecoin-Miner2022.exe
Token: SeCreateGlobalPrivilege	1592	Dogecoin-Miner2022.exe
Token: 33	1592	Dogecoin-Miner2022.exe
Token: 34	1592	Dogecoin-Miner2022.exe
Token: 35	1592	Dogecoin-Miner2022.exe
Token: 36	1592	Dogecoin-Miner2022.exe
Token: SeDebugPrivilege	4548	ADOBEL.EXE
Token: SeDebugPrivilege	2520	MEDIAPL.EXE
Token: SeDebugPrivilege	4796	WINAUDIO.EXE
Token: SeDebugPrivilege	3984	USBDRVL.EXE
Token: SeDebugPrivilege	4764	winrars.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeIncreaseQuotaPrivilege	3848	InstallUtil.exe
Token: SeSecurityPrivilege	3848	InstallUtil.exe
Token: SeTakeOwnershipPrivilege	3848	InstallUtil.exe
Token: SeLoadDriverPrivilege	3848	InstallUtil.exe
Token: SeSystemProfilePrivilege	3848	InstallUtil.exe
Token: SeSystemtimePrivilege	3848	InstallUtil.exe
Token: SeProfSingleProcessPrivilege	3848	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3848	InstallUtil.exe
Token: SeCreatePagefilePrivilege	3848	InstallUtil.exe
Token: SeBackupPrivilege	3848	InstallUtil.exe
Token: SeRestorePrivilege	3848	InstallUtil.exe
Token: SeShutdownPrivilege	3848	InstallUtil.exe
Token: SeDebugPrivilege	3848	InstallUtil.exe
Token: SeSystemEnvironmentPrivilege	3848	InstallUtil.exe
Token: SeChangeNotifyPrivilege	3848	InstallUtil.exe
Token: SeRemoteShutdownPrivilege	3848	InstallUtil.exe
Token: SeUndockPrivilege	3848	InstallUtil.exe
Token: SeManageVolumePrivilege	3848	InstallUtil.exe
Token: SeImpersonatePrivilege	3848	InstallUtil.exe
Token: SeCreateGlobalPrivilege	3848	InstallUtil.exe
Token: 33	3848	InstallUtil.exe
Token: 34	3848	InstallUtil.exe
Token: 35	3848	InstallUtil.exe
Token: 36	3848	InstallUtil.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

InstallUtil.exeDRVHDD.EXEInstallUtil.exeMEDIAPL.EXEADOBEL.EXE

pid process

3848 InstallUtil.exe
5216 DRVHDD.EXE
5628 InstallUtil.exe
5340 MEDIAPL.EXE
5356 ADOBEL.EXE

pid	process
3848	InstallUtil.exe
5216	DRVHDD.EXE
5628	InstallUtil.exe
5340	MEDIAPL.EXE
5356	ADOBEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dogecoin-Miner2022.exeDogecoin-Miner2022.exeWININST.EXEInstallUtil.exeADOBESTV.EXE

description	pid	process	target process
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1112 wrote to memory of 1592	1112	Dogecoin-Miner2022.exe	Dogecoin-Miner2022.exe
PID 1592 wrote to memory of 4548	1592	Dogecoin-Miner2022.exe	ADOBEL.EXE
PID 1592 wrote to memory of 4548	1592	Dogecoin-Miner2022.exe	ADOBEL.EXE
PID 1592 wrote to memory of 4548	1592	Dogecoin-Miner2022.exe	ADOBEL.EXE
PID 1592 wrote to memory of 2520	1592	Dogecoin-Miner2022.exe	MEDIAPL.EXE
PID 1592 wrote to memory of 2520	1592	Dogecoin-Miner2022.exe	MEDIAPL.EXE
PID 1592 wrote to memory of 2520	1592	Dogecoin-Miner2022.exe	MEDIAPL.EXE
PID 1592 wrote to memory of 3984	1592	Dogecoin-Miner2022.exe	USBDRVL.EXE
PID 1592 wrote to memory of 3984	1592	Dogecoin-Miner2022.exe	USBDRVL.EXE
PID 1592 wrote to memory of 3984	1592	Dogecoin-Miner2022.exe	USBDRVL.EXE
PID 1592 wrote to memory of 4796	1592	Dogecoin-Miner2022.exe	WINAUDIO.EXE
PID 1592 wrote to memory of 4796	1592	Dogecoin-Miner2022.exe	WINAUDIO.EXE
PID 1592 wrote to memory of 4796	1592	Dogecoin-Miner2022.exe	WINAUDIO.EXE
PID 1592 wrote to memory of 556	1592	Dogecoin-Miner2022.exe	WININST.EXE
PID 1592 wrote to memory of 556	1592	Dogecoin-Miner2022.exe	WININST.EXE
PID 1592 wrote to memory of 556	1592	Dogecoin-Miner2022.exe	WININST.EXE
PID 1592 wrote to memory of 4764	1592	Dogecoin-Miner2022.exe	winrars.exe
PID 1592 wrote to memory of 4764	1592	Dogecoin-Miner2022.exe	winrars.exe
PID 1592 wrote to memory of 4764	1592	Dogecoin-Miner2022.exe	winrars.exe
PID 556 wrote to memory of 4976	556	WININST.EXE	powershell.exe
PID 556 wrote to memory of 4976	556	WININST.EXE	powershell.exe
PID 556 wrote to memory of 4976	556	WININST.EXE	powershell.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 556 wrote to memory of 3848	556	WININST.EXE	InstallUtil.exe
PID 3848 wrote to memory of 1268	3848	InstallUtil.exe	ADOBESTV.EXE
PID 3848 wrote to memory of 1268	3848	InstallUtil.exe	ADOBESTV.EXE
PID 3848 wrote to memory of 1268	3848	InstallUtil.exe	ADOBESTV.EXE
PID 3848 wrote to memory of 3816	3848	InstallUtil.exe	DRVHDD.EXE
PID 3848 wrote to memory of 3816	3848	InstallUtil.exe	DRVHDD.EXE
PID 3848 wrote to memory of 3816	3848	InstallUtil.exe	DRVHDD.EXE
PID 3848 wrote to memory of 2108	3848	InstallUtil.exe	USBDRVI.EXE
PID 3848 wrote to memory of 2108	3848	InstallUtil.exe	USBDRVI.EXE
PID 3848 wrote to memory of 2108	3848	InstallUtil.exe	USBDRVI.EXE
PID 3848 wrote to memory of 4208	3848	InstallUtil.exe	WINCPU.EXE
PID 3848 wrote to memory of 4208	3848	InstallUtil.exe	WINCPU.EXE
PID 3848 wrote to memory of 4208	3848	InstallUtil.exe	WINCPU.EXE
PID 3848 wrote to memory of 4912	3848	InstallUtil.exe	WINLOGONW.EXE
PID 3848 wrote to memory of 4912	3848	InstallUtil.exe	WINLOGONW.EXE
PID 3848 wrote to memory of 4912	3848	InstallUtil.exe	WINLOGONW.EXE
PID 3848 wrote to memory of 4064	3848	InstallUtil.exe	WINPLAYEER.EXE
PID 3848 wrote to memory of 4064	3848	InstallUtil.exe	WINPLAYEER.EXE
PID 3848 wrote to memory of 4064	3848	InstallUtil.exe	WINPLAYEER.EXE
PID 3848 wrote to memory of 1180	3848	InstallUtil.exe	ADOBESTV.EXE
PID 3848 wrote to memory of 1180	3848	InstallUtil.exe	ADOBESTV.EXE
PID 3848 wrote to memory of 1180	3848	InstallUtil.exe	ADOBESTV.EXE
PID 3848 wrote to memory of 1272	3848	InstallUtil.exe	DRVHDD.EXE
PID 3848 wrote to memory of 1272	3848	InstallUtil.exe	DRVHDD.EXE
PID 3848 wrote to memory of 1272	3848	InstallUtil.exe	DRVHDD.EXE
PID 3848 wrote to memory of 2624	3848	InstallUtil.exe	USBDRVI.EXE
PID 3848 wrote to memory of 2624	3848	InstallUtil.exe	USBDRVI.EXE
PID 3848 wrote to memory of 2624	3848	InstallUtil.exe	USBDRVI.EXE
PID 1268 wrote to memory of 4972	1268	ADOBESTV.EXE	powershell.exe
PID 1268 wrote to memory of 4972	1268	ADOBESTV.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe
"C:\Users\Admin\AppData\Local\Temp\Dogecoin-Miner2022.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
"C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
"C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5340

C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
4⤵
- Executes dropped EXE
PID:5372

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
4⤵
- Executes dropped EXE
PID:5740

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
4⤵
- Executes dropped EXE
PID:5924

C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
"C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:5984

C:\Users\Admin\Documents\images.exe
"C:\Users\Admin\Documents\images.exe"
5⤵
- Executes dropped EXE
PID:5208

C:\Users\Admin\AppData\Local\Temp\WININST.EXE
"C:\Users\Admin\AppData\Local\Temp\WININST.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:5636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
- Suspicious use of SetWindowsHookEx
PID:5628

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
6⤵
- Executes dropped EXE
PID:5464

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
6⤵
- Executes dropped EXE
PID:5256

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5216

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
6⤵
- Executes dropped EXE
PID:5952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
6⤵
- Executes dropped EXE
PID:6084

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:6100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'
7⤵
- Creates scheduled task(s)
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5DE.tmp.bat""
7⤵
PID:5176

C:\Windows\SysWOW64\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:5808

C:\Users\Admin\AppData\Roaming\wintskl.exe
"C:\Users\Admin\AppData\Roaming\wintskl.exe"
8⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
6⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
PID:5288

C:\Users\Admin\Documents\wintsklt.exe
"C:\Users\Admin\Documents\wintsklt.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:3540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
8⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
6⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
6⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
"C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:6108

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
"C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
6⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
6⤵
- Executes dropped EXE
PID:2532

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
"C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
6⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
6⤵
- Executes dropped EXE
PID:6112

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
6⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
"C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
6⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
7⤵
PID:5596

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5964

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
- Executes dropped EXE
PID:5996

C:\Users\Admin\Documents\winrars.exe
"C:\Users\Admin\Documents\winrars.exe"
4⤵
PID:6020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINCPU.EXE.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
f543b25082a5aaf23621ea7b8c75f204

SHA1
586780886834a826f3b307fd01d69eb669970953

SHA256
bcdf0f30ebacd59a7b6efb255e39cf21d2215fe3ca7ea58d109ac22b1d08c95c

SHA512
02150fa44e055c7487c66ad1a82cdf41890feb875045535d66aa5f26a62d2c197b8150150852de65f6569108c5272e1feb60e6c3fd07feaae7e4b4c2c4172320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
cfec30dd669d6f5773c1d9de7dfba238

SHA1
953f4dd63952b4df4770294fec48d2de1e15c704

SHA256
fd64a564544ced7c3f7aa9d83dde5628f04cd84da2cd056d0e9a38e629158030

SHA512
fe58e20143794caf3b60d4cbabb5f77cd34b9c8edd203a5a05c37ee7a07ea7abe38ab26b11aadd2df01dcb62945e81fea3241e44f663fa483e1cd2fb3a1d2df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
1ae0f7728b774a7d163161f8401af2ed

SHA1
3f401e74edfe99d5e6d667b82c017640649dea6d

SHA256
5034bbc5e5d86dd46acfb31aa90df2884abeb63497a764700ba56727a26a442e

SHA512
3f4f2e272d874a40779ac95f4d22deeb9755a502ce83d4881738d8fcce97fb10052b2808a20dc7e85ec409949104885671bcdb8d81899e8b2d2d40e6546a7f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2182c780e0f60143d73862f24d3d5b32

SHA1
020af797573bff89ef8d32afff4aebbf3fd47574

SHA256
6eb2cf155961493cae9513a6954ce3893570752ec8565393bdc7a0b56fcb8b93

SHA512
0eb94689f277379f5ef16edcb41f7ab663f8e3ad4cb600bfd93185de3da07613837d3c819d2344f14184f340dad7f5e6e0cb6b162f82311f727c83388e02c004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
f1d013b5c620a2967c7d6912df17b844

SHA1
15f124a2a838948ef8046c5817b338f348687024

SHA256
3196e956a2f6482ce991f3c94e2a03dad2bed61934e7f000d680dbe6aafd6be9

SHA512
12bfde47608806757e2eb08906ae92846ff55be29bf9cd263931e9581b4ac53abdd133e6c80119f8c4d36c44f48e9951350c31d82bd0fe94fb6a68b979004d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7874312abe57764a7db6dc4056b989eb

SHA1
4aa5c60727f6a11fe20a6d4bc1e10374a9f3a2c7

SHA256
fd890bb20eacab1ae578b4da68161794d9ec25388a8bd306905be05b528513a8

SHA512
94dc5058ff61b17f59f8b992bb6424488cda75e675744151bf8dcbe3c51cc1ca98234424d3b787b1e71531e31a349f9267da1ccb8ad5121327596a974581048f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8f08fd42bd237de3d24e85a8165eb4b3

SHA1
ed514d6814c01f0d0efad6c1bed596aa400fc1a3

SHA256
9ca7e291cf5b475e5c955fbd4de55f27e635c0011df118490e1ccc4f94b3f63a

SHA512
0b18549b6357d20e90667dad42fd55bd28863992506038521221f5dab8b5b76b6f6ea9e5d1ce74c5cc04c627a13ff081543551c92bca1ae304a0da68eac129b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8f08fd42bd237de3d24e85a8165eb4b3

SHA1
ed514d6814c01f0d0efad6c1bed596aa400fc1a3

SHA256
9ca7e291cf5b475e5c955fbd4de55f27e635c0011df118490e1ccc4f94b3f63a

SHA512
0b18549b6357d20e90667dad42fd55bd28863992506038521221f5dab8b5b76b6f6ea9e5d1ce74c5cc04c627a13ff081543551c92bca1ae304a0da68eac129b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7874312abe57764a7db6dc4056b989eb

SHA1
4aa5c60727f6a11fe20a6d4bc1e10374a9f3a2c7

SHA256
fd890bb20eacab1ae578b4da68161794d9ec25388a8bd306905be05b528513a8

SHA512
94dc5058ff61b17f59f8b992bb6424488cda75e675744151bf8dcbe3c51cc1ca98234424d3b787b1e71531e31a349f9267da1ccb8ad5121327596a974581048f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8f08fd42bd237de3d24e85a8165eb4b3

SHA1
ed514d6814c01f0d0efad6c1bed596aa400fc1a3

SHA256
9ca7e291cf5b475e5c955fbd4de55f27e635c0011df118490e1ccc4f94b3f63a

SHA512
0b18549b6357d20e90667dad42fd55bd28863992506038521221f5dab8b5b76b6f6ea9e5d1ce74c5cc04c627a13ff081543551c92bca1ae304a0da68eac129b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8f08fd42bd237de3d24e85a8165eb4b3

SHA1
ed514d6814c01f0d0efad6c1bed596aa400fc1a3

SHA256
9ca7e291cf5b475e5c955fbd4de55f27e635c0011df118490e1ccc4f94b3f63a

SHA512
0b18549b6357d20e90667dad42fd55bd28863992506038521221f5dab8b5b76b6f6ea9e5d1ce74c5cc04c627a13ff081543551c92bca1ae304a0da68eac129b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8f08fd42bd237de3d24e85a8165eb4b3

SHA1
ed514d6814c01f0d0efad6c1bed596aa400fc1a3

SHA256
9ca7e291cf5b475e5c955fbd4de55f27e635c0011df118490e1ccc4f94b3f63a

SHA512
0b18549b6357d20e90667dad42fd55bd28863992506038521221f5dab8b5b76b6f6ea9e5d1ce74c5cc04c627a13ff081543551c92bca1ae304a0da68eac129b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
Filesize
985KB

MD5
fad81a8f80f87e9b17b2a3dce00668f6

SHA1
8d9e668075212b0f03b80074e4eb504641fb777c

SHA256
c56a8eafee823b1b1314ada0a16f5c605161a8124058d074aac024a35da6510a

SHA512
ec5da33612b05fd6230b52b99423fb65757c8c358310dde007aaec1664fce37ab3891cfb447e1961da3309434a0c3bc54dd94f7f7c016beb7f1f407c8e18bb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBEL.EXE
Filesize
985KB

MD5
fad81a8f80f87e9b17b2a3dce00668f6

SHA1
8d9e668075212b0f03b80074e4eb504641fb777c

SHA256
c56a8eafee823b1b1314ada0a16f5c605161a8124058d074aac024a35da6510a

SHA512
ec5da33612b05fd6230b52b99423fb65757c8c358310dde007aaec1664fce37ab3891cfb447e1961da3309434a0c3bc54dd94f7f7c016beb7f1f407c8e18bb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADOBESTV.EXE
Filesize
726KB

MD5
1ec6c9e7c0765db2986e53b4b74d1309

SHA1
3a4c4d9b1f2585143e8b16ee9b7bd8ad36f8582a

SHA256
6370990541b953f4eb8bc639513953dbc113eb0487e635eb90d170ade968bc9c

SHA512
45246b9196332a808072e2882bf5170e1531f67b26f085fbe065f5815224d12e0505910649361cfa9922f1c42260c071d90abdba830825154fff6bf7132ec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE
Filesize
621KB

MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d

SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f

SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532

SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
Filesize
1.0MB

MD5
394a78e8ca31affd5a96db8f22ff965a

SHA1
14671b470360ccce32727e1358d4be009f770a60

SHA256
55cae6c7ed0fdf78bb508d16486aff62b28e12f71673eb0d8da677d9b2c9083b

SHA512
b0559026884d91710c95c1f34ef32226ace8d27149c4ca6fa845ad7c78967d37e296d5dc0067f220bb3980b9b9a7233250c4d65bb63c8c7d88602f32d3a6b5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEDIAPL.EXE
Filesize
1.0MB

MD5
394a78e8ca31affd5a96db8f22ff965a

SHA1
14671b470360ccce32727e1358d4be009f770a60

SHA256
55cae6c7ed0fdf78bb508d16486aff62b28e12f71673eb0d8da677d9b2c9083b

SHA512
b0559026884d91710c95c1f34ef32226ace8d27149c4ca6fa845ad7c78967d37e296d5dc0067f220bb3980b9b9a7233250c4d65bb63c8c7d88602f32d3a6b5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVI.EXE
Filesize
444KB

MD5
080b40ab05695bbb8dc38e4918b0dc7e

SHA1
8203bcc0834811a1c29bfa719ca88259c982c803

SHA256
220d67d648cbeae3a1c75ba1208a6646990f50772ba0a92a7c0bab7911665310

SHA512
8b69db6ec47d50c17eab378c4f8fc4e46f8007c90d639e7ef5961a1ff088165b791398ec3d8a953ca35d88d7fd4a69e5ab5450f6dcd4124c664a185d19623f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE
Filesize
460KB

MD5
f801a1ed5cc85679c8531f6b8615d4bb

SHA1
27ce78dee6bfaec60168919a4ebbe7018b1ed221

SHA256
c4620c2664fdc755792d04f2c7c4fa6fa7895a84f71f8c249345d630c60b4a92

SHA512
39200249fb2fbb6521ebc7b321bcd5c2f8e39b2b1bf7d7da48fd7ffc5e7115d8220dbab3939431dca87f7723076b8bb0d01888d32a688d26d1f08c5bee41d465

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDRVL.EXE
Filesize
460KB

MD5
f801a1ed5cc85679c8531f6b8615d4bb

SHA1
27ce78dee6bfaec60168919a4ebbe7018b1ed221

SHA256
c4620c2664fdc755792d04f2c7c4fa6fa7895a84f71f8c249345d630c60b4a92

SHA512
39200249fb2fbb6521ebc7b321bcd5c2f8e39b2b1bf7d7da48fd7ffc5e7115d8220dbab3939431dca87f7723076b8bb0d01888d32a688d26d1f08c5bee41d465

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINAUDIO.EXE
Filesize
681KB

MD5
1bcdee3deb2bbd592d95a05eb2684146

SHA1
84783a744992736460ac91b941efac196da993c1

SHA256
526e878235324760850d6627c53b99badabe482130eb7d95712eddfb8de8092c

SHA512
32e0145c2ff1b657683c5e529690b5be1d57e7b0087b1e2bfe355c153069684fec5577e45a9bd45a1f3ca986268fa8a35413580fb36f56aa047f6068c7df80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINCPU.EXE
Filesize
397KB

MD5
52195e2a7f97c64cae5e8a29526e331b

SHA1
8b9ba509ab3708ca6c3ddc9e6b2159b6c8b3a757

SHA256
a43109ea48654a6991a1b53ac29b54cec0dcf75cf0228ea661a40d8b976c1c2b

SHA512
44178e0ea91eb402fce4b4d496f550c3ec1483130af840e867d0086a564695f41a32789882caf5b25bd908b46668330dc7b266599f04a5f451e113fcf881889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WININST.EXE
Filesize
2.1MB

MD5
363e16c17f14b6afc2b4d76a5bcd6d92

SHA1
d13feb1cce32abf5b9d6790c3c1b0b802b555daf

SHA256
7ffb773e458a7d40d4d4c0163bf24b0a0c266c7f6ab3ccba830d259fba5a3970

SHA512
3ada9b4b9d28c7dd552e918255460219c1316e147456b55867f2f31a268f80cad6aa4139feee4f546348fd7662d9f330d11cb08c1894b74199ca37a304b1e46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WININST.EXE
Filesize
2.1MB

MD5
363e16c17f14b6afc2b4d76a5bcd6d92

SHA1
d13feb1cce32abf5b9d6790c3c1b0b802b555daf

SHA256
7ffb773e458a7d40d4d4c0163bf24b0a0c266c7f6ab3ccba830d259fba5a3970

SHA512
3ada9b4b9d28c7dd552e918255460219c1316e147456b55867f2f31a268f80cad6aa4139feee4f546348fd7662d9f330d11cb08c1894b74199ca37a304b1e46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGONW.EXE
Filesize
435KB

MD5
f2f861cc0985546a748142eaca913cfb

SHA1
f26db0c99c531261780a9f2fc3584d50328ad9af

SHA256
63ffad17f29cec99a45b9fe2c2ac410ef658da920f681beabaa0e4a347cc22df

SHA512
875761c5369c293c351b0cdd3fedaf6b5048ab481b1dd29bd2c61df577063fd6f8b996398aef31e77ec11a49aa0e9578f6933c2f105e60e9af3de0233119371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINPLAYEER.EXE
Filesize
445KB

MD5
91bb5739afce122ddea99a91758bde4a

SHA1
f61823897e81e3cc806de9a3dd9d949418bcad44

SHA256
ec197f82688c7181d0c185f7dfd2a60cd74187380247ebaacec7cbc9c7c3585b

SHA512
bf2c8b038949f3c030ef184f2eb6cf783c2f547d326464114c47ec3fec3cde8b864b290002eb034b08a80b990c69df1a51d71dd2c5eaf40bece8da895ce4f06b

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Users\Admin\Documents\winrars.exe
Filesize
5.8MB

MD5
e72b1feb2a030b80c0c5209dbdfc6b94

SHA1
bf5c2c1dc9a1f65938af801146022939216a4504

SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365

SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
21B

MD5
2ddca716eff6ab2f8d96dc3d39527386

SHA1
4c1c65fa4d6bffe17dc9e04e193adf6db9d0994f

SHA256
e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a

SHA512
5b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3

Download Submit
memory/364-216-0x0000000000000000-mapping.dmp

Download
memory/556-159-0x0000000000000000-mapping.dmp

Download
memory/556-162-0x0000000000FF0000-0x0000000001216000-memory.dmp

Filesize
2.1MB

Download
memory/1112-134-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/1112-133-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/1112-135-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/1112-136-0x0000000006620000-0x000000000662A000-memory.dmp

Filesize
40KB

Download
memory/1112-132-0x0000000000BA0000-0x000000000117A000-memory.dmp

Filesize
5.9MB

Download
memory/1180-208-0x0000000000000000-mapping.dmp

Download
memory/1268-189-0x0000000000420000-0x00000000004DA000-memory.dmp

Filesize
744KB

Download
memory/1268-183-0x0000000000000000-mapping.dmp

Download
memory/1272-209-0x0000000000000000-mapping.dmp

Download
memory/1308-319-0x0000000000000000-mapping.dmp

Download
memory/1336-331-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1336-302-0x0000000000000000-mapping.dmp

Download
memory/1516-230-0x0000000000000000-mapping.dmp

Download
memory/1568-344-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1568-307-0x0000000000000000-mapping.dmp

Download
memory/1568-366-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1592-141-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/1592-137-0x0000000000000000-mapping.dmp

Download
memory/1592-138-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/1592-140-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/1592-142-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/1592-168-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/1640-229-0x0000000000000000-mapping.dmp

Download
memory/1908-225-0x0000000000000000-mapping.dmp

Download
memory/1936-308-0x0000000000000000-mapping.dmp

Download
memory/2064-221-0x0000000000000000-mapping.dmp

Download
memory/2108-199-0x0000000000DB0000-0x0000000000E24000-memory.dmp

Filesize
464KB

Download
memory/2108-190-0x0000000000000000-mapping.dmp

Download
memory/2212-231-0x0000000000000000-mapping.dmp

Download
memory/2264-361-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2384-232-0x0000000000000000-mapping.dmp

Download
memory/2400-228-0x0000000000000000-mapping.dmp

Download
memory/2520-154-0x0000000000900000-0x0000000000A08000-memory.dmp

Filesize
1.0MB

Download
memory/2520-147-0x0000000000000000-mapping.dmp

Download
memory/2532-341-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2532-313-0x0000000000000000-mapping.dmp

Download
memory/2532-346-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2624-212-0x0000000000000000-mapping.dmp

Download
memory/2680-214-0x0000000000000000-mapping.dmp

Download
memory/2736-303-0x0000000000000000-mapping.dmp

Download
memory/3012-218-0x0000000000000000-mapping.dmp

Download
memory/3816-191-0x0000000000E80000-0x0000000000F20000-memory.dmp

Filesize
640KB

Download
memory/3816-186-0x0000000000000000-mapping.dmp

Download
memory/3848-178-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3848-244-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3848-180-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3848-181-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3848-195-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/3848-177-0x0000000000000000-mapping.dmp

Download
memory/3984-150-0x0000000000000000-mapping.dmp

Download
memory/3984-157-0x00000000005A0000-0x000000000061A000-memory.dmp

Filesize
488KB

Download
memory/4064-207-0x00000000005C0000-0x0000000000636000-memory.dmp

Filesize
472KB

Download
memory/4064-203-0x0000000000000000-mapping.dmp

Download
memory/4156-227-0x0000000000000000-mapping.dmp

Download
memory/4208-347-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4208-323-0x0000000000000000-mapping.dmp

Download
memory/4208-194-0x0000000000000000-mapping.dmp

Download
memory/4208-342-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4208-200-0x00000000007E0000-0x0000000000848000-memory.dmp

Filesize
416KB

Download
memory/4296-219-0x0000000000000000-mapping.dmp

Download
memory/4548-146-0x00000000002F0000-0x00000000003EC000-memory.dmp

Filesize
1008KB

Download
memory/4548-143-0x0000000000000000-mapping.dmp

Download
memory/4764-166-0x0000000000A90000-0x000000000106A000-memory.dmp

Filesize
5.9MB

Download
memory/4764-163-0x0000000000000000-mapping.dmp

Download
memory/4796-153-0x0000000000000000-mapping.dmp

Download
memory/4796-158-0x0000000000950000-0x0000000000A00000-memory.dmp

Filesize
704KB

Download
memory/4872-343-0x0000000000000000-mapping.dmp

Download
memory/4872-348-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/4912-198-0x0000000000000000-mapping.dmp

Download
memory/4912-206-0x0000000000EC0000-0x0000000000F32000-memory.dmp

Filesize
456KB

Download
memory/4972-213-0x0000000000000000-mapping.dmp

Download
memory/4976-169-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/4976-167-0x0000000000000000-mapping.dmp

Download
memory/4976-176-0x0000000006590000-0x00000000065AA000-memory.dmp

Filesize
104KB

Download
memory/4976-170-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/4976-171-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/4976-172-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4976-173-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/4976-174-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/4976-175-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download
memory/4980-333-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4980-321-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4980-304-0x0000000000000000-mapping.dmp

Download
memory/4980-309-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4980-365-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5080-224-0x0000000000000000-mapping.dmp

Download
memory/5100-220-0x0000000000000000-mapping.dmp

Download
memory/5208-372-0x0000000000A70000-0x0000000000B20000-memory.dmp

Filesize
704KB

Download
memory/5216-268-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5216-265-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5216-267-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5216-269-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5216-280-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5216-264-0x0000000000000000-mapping.dmp

Download
memory/5256-262-0x0000000000000000-mapping.dmp

Download
memory/5288-294-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5288-345-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5288-287-0x0000000000000000-mapping.dmp

Download
memory/5288-288-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5288-291-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5340-351-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5340-356-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5340-359-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5340-373-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5340-352-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5340-233-0x0000000000000000-mapping.dmp

Download
memory/5340-354-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5356-357-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5356-360-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5356-353-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5356-374-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5356-363-0x000000000AD00000-0x000000000AEA0000-memory.dmp

Filesize
1.6MB

Download
memory/5356-234-0x0000000000000000-mapping.dmp

Download
memory/5372-235-0x0000000000000000-mapping.dmp

Download
memory/5464-260-0x0000000000000000-mapping.dmp

Download
memory/5560-358-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5560-237-0x0000000000000000-mapping.dmp

Download
memory/5596-349-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/5628-292-0x000000006E680000-0x000000006E6B9000-memory.dmp

Filesize
228KB

Download
memory/5628-282-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5628-273-0x0000000000000000-mapping.dmp

Download
memory/5628-274-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5628-276-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5628-278-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5628-362-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5636-272-0x0000000000000000-mapping.dmp

Download
memory/5648-350-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/5740-240-0x0000000000000000-mapping.dmp

Download
memory/5844-241-0x0000000000000000-mapping.dmp

Download
memory/5924-243-0x0000000000000000-mapping.dmp

Download
memory/5952-285-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5952-364-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5952-279-0x0000000000000000-mapping.dmp

Download
memory/5952-293-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5952-281-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/5964-246-0x0000000000000000-mapping.dmp

Download
memory/5984-370-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5984-371-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5984-248-0x0000000000000000-mapping.dmp

Download
memory/5984-367-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5984-369-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/5996-250-0x0000000000000000-mapping.dmp

Download
memory/6020-379-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/6020-378-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/6020-377-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/6020-252-0x0000000000000000-mapping.dmp

Download
memory/6084-253-0x0000000000000000-mapping.dmp

Download
memory/6100-255-0x0000000000000000-mapping.dmp

Download
memory/6100-256-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6108-339-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6108-335-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6108-305-0x0000000000000000-mapping.dmp

Download
memory/6112-306-0x0000000000000000-mapping.dmp

Download